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About the Documentation 


« Documentation and Release Notes on page xi 
« Documentation Conventions on page xi 
« Documentation Feedback on page xiii 


« Requesting Technical Support on page xiv 


Documentation and Release Notes 


To obtain the most current version of all Juniper Networks” technical documentation, 
see the product documentation page on the Juniper Networks website at 
https://www.juniper.net/documentation/. 


If the information in the latest release notes differs from the information in the 
documentation, follow the product Release Notes. 


Juniper Networks Books publishes books by Juniper Networks engineers and subject 
matter experts. These books go beyond the technical documentation to explore the 
nuances of network architecture, deployment, and administration. The current list can 
be viewed at https://www.juniper.net/books. 


Documentation Conventions 


Table 1 on page xii defines notice icons used in this guide. 
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Table 1: Notice Icons 

















a) Informational note Indicates important features or instructions. 

t Caution Indicates a situation that might result in loss of data or hardware damage. 
| f | Warning Alerts you to the risk of personal injury or death. 

? | Laser warning Alerts you to the risk of personal injury from a laser. 
OQ Tip Indicates helpful information. 

: Best practice Alerts you to a recommended use or implementation. 





Table 2 on page xii defines the text and syntax conventions used in this guide. 
Table 2: Text and Syntax Conventions 


(@fo)a\V(=1aia(e)a) Description 1=><o1 a0] 0) (=I) 


Bold text like this Represents text that you type. To enter configuration mode, type the 
configure command: 


user@host> configure 





Fixed-width text like this Represents output that appears on the user@host> show chassis alarms 


terminal screen. . 
No alarms currently active 





Italic text like this e Introduces or emphasizes important e Apolicy term is anamed structure 
new terms. that defines match conditions and 
« Identifies guide names. actions. 


+ Identifies RFC and Internet drafttitles. * /U70S OS CLI User Guide 
« RFC1997,BGP Communities Attribute 





Italic text like this Represents variables (options for which Configure the machine’s domain name: 
you substitute a value) in commands or 
configuration statements. [edit] 


root@# set system domain-name 
domain-name 
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Table 2: Text and Syntax Conventions (continued) 


(@fo)a\V(=1aia(e)a) 


Text like this 


Description 


Represents names of configuration 
statements, commands, files, and 
directories; configuration hierarchy levels; 
or labels on routing platform 
components. 


About the Documentation 


=><o1 an] 0) (=I) 


e Toconfigure a stub area, include the 
stub statement at the [edit protocols 
ospf area area-id] hierarchy level. 


e Theconsole port is labeled CONSOLE. 





< > (angle brackets) 


Encloses optional keywords or variables. 


stub <default-metric metric >; 





| (pipe symbol) 


Indicates a choice between the mutually 
exclusive keywords or variables on either 
side of the symbol. The set of choices is 
often enclosed in parentheses for clarity. 


broadcast | multicast 


(string! | string2 | string3) 





# (pound sign) 


Indicates a comment specified on the 
same line as the configuration statement 
to which it applies. 


rsvp { # Required for dynamic MPLS only 





[ ] (square brackets) 


Encloses a variable for which you can 
substitute one or more values. 


community name members [ 
community-ids ] 





Indention and braces ( { } ) 


Identifies a level in the configuration 
hierarchy. 





; (semicolon) 


GUI Conventions 


Bold text like this 


Identifies a leaf statement at a 
configuration hierarchy level. 


Represents graphical user interface (GUI) 
items you click or select. 


[edit] 
routing-options { 
static { 
route default { 
nexthop address; 
retain; 
} 
} 
} 


e Inthe Logical Interfaces box, select 
All Interfaces. 


e Tocancel the configuration, click 
Cancel. 





> (bold right angle bracket) 


Separates levels in a hierarchy of menu 
selections. 


In the configuration editor hierarchy, 
select Protocols>Ospf. 





Documentation Feedback 


We encourage you to provide feedback, comments, and suggestions so that we can 
improve the documentation. You can provide feedback by using either of the following 


methods: 


+ Online feedback rating system—On any page of the Juniper Networks TechLibrary site 
at https://www.juniper.net/documentation/index.html, simply click the stars to rate the 
content, and use the pop-up form to provide us with information about your experience. 
Alternately, you can use the online feedback form at 
https://www.juniper.net/documentation/feedback/. 
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« E-mail—Send your comments to techpubs-comments@juniper.net. Include the document 
or topic name, URL or page number, and software version (if applicable). 


Requesting Technical Support 


Technical product support is available through the Juniper Networks Technical Assistance 
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service 
support contract, or are covered under warranty, and need post-sales technical support, 
you can access our tools and resources online or open a case with JTAC. 


¢ JTAC policies—For a complete understanding of our JTAC procedures and policies, 
review the JTAC User Guide located at 
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. 


¢ Product warranties—For product warranty information, visit 
https://www.juniper.net/support/warranty/. 


« JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 
7 days a week, 365 days a year. 


Self-Help Online Tools and Resources 


For quick and easy problem resolution, Juniper Networks has designed an online 
self-service portal called the Customer Support Center (CSC) that provides you with the 
following features: 


- Find CSC offerings: https://www.juniper.net/customers/support/ 

« Search for known bugs: https://prsearch.juniper.net/ 

¢ Find product documentation: https://www.juniper.net/documentation/ 

« Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/ 


« Download the latest versions of software and review release notes: 
https://www.juniper.net/customers/csc/software/ 


¢ Search technical bulletins for relevant hardware and software notifications: 
https://kb.juniper.net/InfoCenter/ 


¢ Join and participate in the Juniper Networks Community Forum: 
https://www.juniper.net/company/communities/ 


« Open acase online in the CSC Case Management tool: https://www.juniper.net/cem/ 


To verify service entitlement by product serial number, use our Serial Number Entitlement 
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/ 


Opening a Case with JTAC 
You can open a case with JTAC on the Web or by telephone. 


-« Use the Case Management tool in the CSC at https://www.juniper.net/cm/. 


¢ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). 
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For international or direct-dial options in countries without toll-free numbers, see 
https://www.juniper.net/support/requesting-support.html. 
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CHAPTER 1 


Overview 


e« Understanding the Common Criteria Evaluated Configuration on page 17 
e Identifying Secure Product Delivery on page 18 


« Understanding Management Interfaces on page 19 


Understanding the Common Criteria Evaluated Configuration 


This document describes the steps required to duplicate the configuration of the device 
running Junos OS when the device is evaluated. This is referred to as the evaluated 
configuration. The following list describes the standards to which the device has been 
evaluated: 


« Security Requirements for Network Devices, Version 1.1, 08 June, 2012 (NDPP) 
« Security Requirements for Network Devices Errata #2, 13 January, 2013 


« Network Device Protection Profile (NDPP) Stateful Traffic Filter Firewall Extended 
Package (FWEP), Version 1.0, 19 December, 2011 (FWEP) 


« Network Device Protection Profile (NDPP) VPN Gateway Extended Package (VPNEP), 
Version 1.1, 15 April 2013 (VPNEP) 


« Network Device Protection Profile (NDPP) Intrusion Prevention Systems Extended 
Package Version 1.0, 26 June, 2014 


These documents are available at https://www.niap-ccevs.org/Profile/PP.cfm?archived=1. 


Understanding Common Criteria 


Common Criteria for information technology is an international agreement signed by 28 
countries that permits the evaluation of security products against a common set of 
standards. In the Common Criteria Recognition Arrangement (CCRA) at 
http://www.commoncriteriaportal.org/ccra/, the participants agree to mutually recognize 
evaluations of products performed in other countries. All evaluations are performed using 
acommon methodology for information technology security evaluation. 


For more information on Common Criteria, see http://www.commoncriteriaportal.org/. 
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Supported Platforms 


For the features described in this document, the following platforms are supported: 


« The IPSEP, NDPP, FWEP, and VPNEP apply to: 
e SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices 
« SRX5400, SRX5600, and SRX5800 devices with SPC-4-15-320 


« The IPSEP, NDPP, and FWEP apply to: 
« SRX1400, SRX3400, and SRX3600 devices 
« SRX5400, SRX5600, and SRX5800 devices with SPC-2-10-40 


Related ~ Identifying Secure Product Delivery on page 18 
Documentation 


Identifying Secure Product Delivery 


There are several mechanisms provided in the delivery process to ensure that a customer 
receives a product that has not been tampered with. The customer should perform the 
following checks upon receipt of a device to verify the integrity of the platform. 


¢ Shipping label—Ensure that the shipping label correctly identifies the correct customer 
name and address as well as the device. 


- Outside packaging—Inspect the outside shipping box and tape. Ensure that the shipping 
tape has not been cut or otherwise compromised. Ensure that the box has not been 
cut or damaged to allow access to the device. 


- Inside packaging—Inspect the plastic bag and seal. Ensure that the bag is not cut or 
removed. Ensure that the seal remains intact. 


If the customer identifies a problem during the inspection, he or she should immediately 
contact the supplier. Provide the order number, tracking number, and a description of 
the identified problem to the supplier. 


Additionally, there are several checks that can be performed to ensure that the customer 
has received a box sent by Juniper Networks and not a different company masquerading 
as Juniper Networks. The customer should perform the following checks upon receipt of 
a device to verify the authenticity of the device: 


- Verify that the device was ordered using a purchase order. Juniper Networks devices 
are never shipped without a purchase order. 


« When adevice is shipped, a shipment notification is sent to the e-mail address provided 
by the customer when the order is taken. Verify that this e-mail notification was received. 
Verify that the e-mail contains the following information: 


- Purchase order number 


« Juniper Networks order number used to track the shipment 
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« Carrier tracking number used to track the shipment 
« List of items shipped including serial numbers 


- Address and contacts of both the supplier and the customer 


- Verify that the shipment was initiated by Juniper Networks. To verify that a shipment 
was initiated by Juniper Networks, you should perform the following tasks: 


« Compare the carrier tracking number of the Juniper Networks order number listed in 
the Juniper Networks shipping notification with the tracking number on the package 
received. 


e Logon to the Juniper Networks online customer support portal at 
https://www.juniper.net/customers/csc/management to view the order status. 
Compare the carrier tracking number or the Juniper Networks order number listed in 
the Juniper Networks shipment notification with the tracking number on the package 
received. 


Related «+ Understanding the Common Criteria Evaluated Configuration on page 17 
Documentation 


Understanding Management Interfaces 


The following management interfaces can be used in the evaluated configuration: 


« Local Management Interfaces—The RJ-45 console port on the rear panel of a device 
is configured as RS-232 data terminal equipment (DTE). You can use the command-line 
interface (CLI) over this port to configure the device from a terminal. 


- Remote Management Protocols—The device can be remotely managed over any 
Ethernet interface. SSHv2 is the only permitted remote management protocol that 
can be used in the evaluated configuration, and it is enabled by default on the device. 
The remote management protocols J-Web and Telnet are not available for use on the 
device. 


Related «+ Understanding the Common Criteria Evaluated Configuration on page 17 
Documentation 
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CHAPTER 2 


Contiguring Administrative Credentials 
and Privileges 


« Understanding the Associated Password Rules for an Authorized 
Administrator on page 21 


« Configuring a Network Device Protection Profile Authorized Administrator on page 22 


Understanding the Associated Password Rules for an Authorized Administrator 


The authorized administrator is associated with a defined login class, and the 
administrator is assigned with all permissions. Data is stored locally for fixed password 
authentication. 


@ NOTE: We recommend that you not use control characters in passwords. 


Use the following guidelines and configuration options for passwords and when selecting 
passwords for authorized administrator accounts. Passwords should be: 

« Easy to remember so that users are not tempted to write it down. 

« Changed periodically. 

¢ Private and not shared with anyone. 

« Contain a minimum of 10 characters. The maximum password length is 10 characters. 


[ edit ] 
administrator@host# set system login password minimum-length 10 


« Include both alphanumeric and punctuation characters, composed of any combination 
of upper and lowercase letters, numbers, and special characters such as, “!”, “@”, “#”, 
6H" KH" A" HB" |" “Cand “)”. There should be at least a change in one case, one or 


more digits, and one or more punctuation marks. 


« Contain character sets. Valid character sets include uppercase letters, lowercase 
letters, numbers, punctuation, and other special characters. 


[ edit ] 
administrator@host# set system login password change-type character-sets 
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« Contain the minimum number of character sets or character set changes. The minimum 
number of character sets required in plain-text passwords in Junos FIPS is 2. 


[ edit ] 
administrator@host# set system login password minimum-changes 2 


@ NOTE: The authentication algorithm for plain-text passwords must be 
configured as shal. 


[ edit ] 
administrator@host# set system login password format shal 


Weak passwords are: 


- Words that might be found in or exist as a permuted form in a system file such as 
/etc/passwd. 


- The hostname of the system (always a first guess). 


« Any words appearing in a dictionary. This includes dictionaries other than English, and 
words found in works such as Shakespeare, Lewis Carroll, Roget's Thesaurus, and so 
on. This prohibition includes common words and phrases from sports, sayings, movies, 
and television shows. 


« Permutations on any of the above. For example, a dictionary word with vowels replaced 
with digits (for example fOOt) or with digits added to the end. 


« Any machine-generated passwords. Algorithms reduce the search space of 
password-guessing programs and so should not be used. 


Strong reusable passwords can be based on letters from a favorite phrase or word, and 
then concatenated with other, unrelated words, along with additional digits and 
punctuation. 


@ NOTE: Passwords should be changed periodically. 


« Configuring a Network Device Protection Profile Authorized Administrator on page 22 


Configuring a Network Device Protection Profile Authorized Administrator 


22 


An account for root is always present in a configuration and is not intended for use in 
normal operation. In the evaluated configuration, the root account is restricted to the 
initial installation and configuration of the evaluated device. 


An NDPP authorized administrator must have all permissions, including the ability to 
change the router configuration. 
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To configure an authorized administrator: 


]. Create a login class named security-admin with all permissions. 


[edit] 
root@host# set system login class security-admin permissions all 


2. Define your NDPP user authorized administrator. 


[edit] 

root@host# set system login user NDPP-user full-name Common Criteria NDPP 
Authorized Administrator class security-admin authentication encrypted-password 
<password> 


3. Configure the authentication algorithm for plain-text passwords as shal. 


[edit] 
root@host# set system login password format shal 


4. Commit the changes. 


[edit] 
root@host# commit 


@ NOTE: The root password should be reset following the change to shal for 
the password storage format. This ensures the new password is protected 
using a shal hash, rather than the default password hashing algorithm. To 
reset the root password, use the set system login user root password password 
command, and confirm the new password when prompted. 


Related «- Understanding the Associated Password Rules for an Authorized Administrator on 
Documentation page 21 
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CHAPTER 3 


Contiguring SSH and Console Connection 


« Configuring a System Login Message and Announcement on page 25 
e Limiting the Number of User Login Attempts for SSH Sessions on page 26 
¢« Configuring SSH on the Evaluated Configuration on page 26 


Configuring a System Login Message and Announcement 


Asystem login message appears before the user logs in and asystem login announcement 
appears after the user logs in. By default, no login message or announcement is displayed 
on the device. 


To configure a system login message, use the following command: 


[edit] 
user@host# set system login message login-message-banner-text 


To configure system announcement, use the following command: 


[edit] 
user@host# set system login announcement system-announcement-text 


@ NOTE: 
- If the message text contains any spaces, enclose it in quotation marks. 
- You can format the message using the following special characters: 
« \n—New line 
« \t—Horizontal tab 
« \'—Single quotation mark 
« \"—Double quotation mark 


- \\—Backslash 


Related «+ Configuring SSH on the Evaluated Configuration on page 26 
Documentation 
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Limiting the Number of User Login Attempts for SSH Sessions 


Related 
Documentation 


A remote administrator may login to a device through SSH. Administrator credentials 
are stored locally on the device. If the remote administrator presents a valid username 
and password, access to the TOE is granted. If the credentials are invalid, the TOE allows 
the authentication to be retried after an interval that starts after 1 second and increases 
exponentially. If the number of authentication attempts exceed the configured maximum, 
no authentication attempts are accepted for a configured time interval. When the interval 
expires, authentication attempts are again accepted. 


You can configure the device to limit the number of attempts to enter a password while 
logging through SSH. Using the following command, the connection can terminated if a 
user fails to login after a specified number of attempts: 


[edit system login] 
user@host# set retry options tries-before-disconnect <number> 


Here, tries-before-disconnect is the number of times a user can attempt to enter a 
password when logging in. The connection closes if a user fails to log in after the number 
specified. The range is from 1 through 10, and the default value is 10. 


You can also configure a delay, in seconds, before a user can try to enter a password 
after a failed attempt. 


[edit system login] 
user@host# set retry options backoff-threshold <number> 


Here, backoff-threshold is the threshold for the number of failed login attempts before 
the user experiences a delay in being able to enter a password again. Use the 
backoff-factor option to specify the length of the delay in seconds. The range is from 1 
through 3, and the default value is 2 seconds. 


In addition, the device can be configured to specify the threshold for the number of failed 
attempts before the user experiences a delay in entering the password again. 


[edit system login] 
user@host# set retry options backoff-factor <number> 


Here, backoff-factor is the length of time, in seconds, before a user can attempt to log in 
after a failed attempt. The delay increases by the value specified for each subsequent 
attempt after the threshold. The range is from 5 through 10, and the default value is 5 
seconds. 


e Configuring SSH on the Evaluated Configuration on page 26 
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SSH is the only remote management interface allowed in the evaluated configuration. 
This topic describes how to configure SSH on the device. 
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Related 
Documentation 


Chapter 3: Configuring SSH and Console Connection 


Before you begin, log in with your root account on the device running Junos OS Release 
12.3X48-D30 and edit the configuration. 


@ NOTE: You can enter the configuration commands in any order and commit 
all the commands at once. 


To configure SSH on the TOE: 


1. Specify the permissible SSH host-key algorithms for the system services. 


[edit system services] 
root@host# set ssh hostkey-algorithm ssh-rsa 


2. Specify the SSH key-exchange for Diffie-Hellman keys for the system services. 


[edit system services] 
root@host#set ssh key-exchange dh-group14-shal 


3. Specify all the permissible message authentication code algorithms for SSHv2. 


[edit system services] 
root@host#set ssh macs hmac-shal 


4. Specify the ciphers allowed for protocol version 2. 


[edit system services] 
root@host#set ssh ciphers aes128-cbc aes256-cbc 


e Limiting the Number of User Login Attempts for SSH Sessions on page 26 
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CHAPTER 4 


Configuring a Secure Logging Channel 


« Creating a Secure Logging Channel on page 29 


Creating a Secure Logging Channel 


This section describes how to place the device in an evaluated configuration to provide 
an encrypted communication channel over an IPsec VPN tunnel, between a device running 
Junos OS and a remote external storage server (syslog server). 


Table 3 on page 29 lists all the supported algorithms for the IPsec VPN tunnel. 


Table 3: IPsec VPN Tunnel Supported Algorithms 


IKE Phase] Proposal 


PNUjdal=laud(or-1u(ola i \{-isalere| NU d allah (er-udlelaW-Vt-ce)diaalan) DH Group Encryption Algorithm 


pre-shared-keys sha-256 groupl4 aes-128-cbc 
rsa-signatures-2048 sha-384 groupl9 aes-128-gcm 
ecdsa-signatures-256 group20 aes-192-cbc 
ecdsa-signatures-384 group24 aes-256-cbc 





aes-256-gcm 


3des-cbc 
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| =hsy=\o4l =d al= I={=Wal = (0) ofesste I 


Authentication Algorithm | DH Group (PFS) =i alot ay ea(o)a ny (=idaleye| Encryption Algorithm 





hmac-shal-96 groupl4 ESP aes-128-cbc 
hmac-sha256-128 groupl9 aes-128-gcm 
group20 aes-192-cbc 
group24 aes-192-gcm 

aes-256-cbc 


aes-256-gcm 


3des-cbc 





Configuring a Trusted Path or Channel Between a Device Running Junos OS anda 
Remote External Storage Server 


This section describes the configuration details required to provide an encrypted 
communication channel between a device running Junos OS and the remote external 
storage server through an IPsec VPN tunnel. 


@ NOTE: The remote external storage server is a Linux-based syslog server on 
which the IPsec VPN Tunnel is terminated at the outbound interface Eth]. 
The log data transferred from the device is sent to the syslog termination 
interface Eth2 and the StrongSwan application to provide the IPsec VPN 
capability. 


Table 4 on page 30 lists the IPsec VPN tunnel details Used in this example. 


Table 4: IPsec VPN Tunnel Information 


Phase 1 Proposal (P1, IKE) Phase 2 Proposal (P2, IPSec) 


PNGig=pitecitogMmme-\Wig=aliesito a Encryption PNUig=aitecio palm D)m AG) co)0) e) Encryption Encryption 
Wid alore| PNT =foldivalaa) DH Group yNt=fo)divalag yNC=fo)divalag W/feiaatere| rN C=fo)didalag 





pre-sharedcteys sha-256 groupl4 aes-128-cbc —hmac-shal-96_— group14 ESP aes-128-cbc 


Figure 1 on page 31 illustrates the encrypted communication channel between a device 
running Junos OS and a remote external storage server. An IPsec tunnel is established 
between a devices egress interface (Intf-1) and a remote syslog server outbound interface 
(Eth1). Data is then forwarded internally on the remote external storage server from its 
outbound interface Eth]; that is, the VPN endpoint to Eth2. 
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Figure 1: |Psec VPN Tunnel 
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Table 5 on page 31 provides the interface and IP configuration details used in this example. 


Table 5: Interface and IP Configuration Details for the Trusted Path 


Device Running Junos OS Remote Storage Server 


IP Address: IP Address: 

“Intf-2” interface: GE-0/0/1 — IP Address: 198.51.100.2 Eth: 198.51.100.3 

“Intf-1" interface: GE-0/0/2 - IP Address: 198.51.100.1 Eth2: 203.0.113.1 

Enable: Syslog logging to remote syslog server Gateway Eth1:198.51.100.1 


Tools: SSH and Strongswan (for IPsec VPN) 





To configure the trusted path or channel between a device running Junos OS and aremote 
external storage server: 


1. Enable stream logging for traffic logs. 


[edit security] 

user@host#set log cache 

user@host#set log mode event 

user@host#set log source-address 198.51.100.2 
user@host#set log stream STREAM category all 
user@host#set log stream STREAM host 203.0.113.1 


@ NOTE: 198.51.100.2 is the IP address of the syslog server outbound interface 
at which the IPsec VPN tunnel is terminated, and 203.0.113.1 is the IP 
address of the syslog server interface for which log data is destined. 


2. Enable syslog on the device. 


[edit system] 
user@host#set syslog user * any emergency 
user@host#set syslog host 203.0.113.1 any any 
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user@host#set syslog file SYSLOG any any 

user@host#set syslog file SYSLOG authorization info 

user@host#set syslog file SYSLOG_COMMANDS interactive-commands error 
user@host#set syslog file traffic-log any any 

user@host#set syslog file traffic-log match RT_FLOW_SESSION 
user@host#set syslog source-address 198.51.100.2 


3. Enable VPN on the device. 


IKE setup: 


[edit security] 

user@host#set ike proposal IKE_Proposal authentication-method pre-shared-keys 
user@host#set ike proposal IKE_Proposal dh-group group14 

user@host#set ike proposal IKE_Proposal authentication-algorithm sha-256 
user@host#set ike proposal IKE_Proposal encryption-algorithm aes-128-cbc 


user@host#set ike policy IKE_Policy mode main 
user@host#set ike policy IKE_Policy proposals IKE_Proposal 
user@host#set ike policy IKE_Policy pre-shared-key ascii-text 12345 


user@host#set ike gateway GW ike-policy IKE_Policy 
user@host#set ike gateway GW address 198.51.100.3 
user@host#set ike gateway GW local-identity inet 198.51.100.1 
user@host#set ike gateway GW external-interface ge-0/0/2 
user@host#set ike gateway GW version v2-only 


IPsec setup: 


[edit security ipsec] 

user@host#set proposal IPsec_Proposal protocol esp 

root@host#set proposal IPsec_Proposal authentication-algorithm hmac-shal-96 
root@host#set proposal IPsec_Proposal encryption-algorithm aes-128-cbc 
root@host#set policy IPsec_Policy perfect-forward-secrecy keys group14 
root@host#set policy IPsec_Policy proposals IPsec_Proposal 

root@host#set vpn VPN bind-interface st0.0 

root@host#set vpn VPN ike gateway GW 

root@host#set vpn VPN ike ipsec-policy IPsec_Policy 

root@host#set vpn VPN establish-tunnels immediately 


4. Perform the following additional configurations on the device. 


IKE trace log: 


[edit security ike 

root@host#set traceoptions file IKE_Trace 
root@host#set traceoptions file size IOOOOO0O 
root@host#set ike traceoptions flag all 


Flow trace: 


[edit security flow ] 

root@host#set traceoptions file DEBUG 
root@host#set traceoptions file size IOOOOOO 
root@host#set traceoptions flag all 


Route options: 
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[edit ] 
root@host#set routing-options static route 203.0.113.2/24 qualified-next-hop st0.0 
preference 1 


Address book configuration: 


[edit security address-book] 
root@host#set global address trustLAN 198.51.100.0/24 
root@host#set global address unTrustLAN 198.51.100.3/24 


Zone configuration: 


[edit security zones] 

root@host#set trustZone host-inbound-traffic system-services all 
root@host#set security-zone trustZone host-inbound-traffic protocols all 
root@host#set security-zone trustZone interfaces ge-0/0/1.0 


root@host#set security-zone unTrustZone host-inbound-traffic system-services all 
root@host#set security-zone unTrustZone host-inbound-traffic protocols all 
root@host#set security-zone unTrustZone interfaces stO.0 

root@host#set security-zone unTrustZone interfaces ge-0/0/2.0 


Policy configuration: 


[edit security policies] 

root@host#set from-zone trustZone to-zone unTrustZone policy Policy] match 
source-address trustLAN 

root@host#set from-zone trustZone to-zone unTrustZone policy Policy] match 
destination-address unTrustLAN 

root@host#set from-zone trustZone to-zone unTrustZone policy Policy] match 
application any 

root@host#set from-zone trustZone to-zone unTrustZone policy Policy] then permit 

root@host#set from-zone trustZone to-zone unTrustZone policy Policy] then log 
session-init 

root@host#set from-zone trustZone to-zone unTrustZone policy Policy] then log 
session-close 


root@host#set from-zone unTrustZone to-zone trustZone policy Policy] match 
source-address unTrustLAN 

root@host#set from-zone unTrustZone to-zone trustZone policy Policy] match 
destination-address trustLAN 

root@host#set from-zone unTrustZone to-zone trustZone policy Policy] match 
application any 

root@host#set from-zone unTrustZone to-zone trustZone policy Policy] then permit 

root@host#set from-zone unTrustZone to-zone trustZone policy Policy] then log 
session-init 

root@host#set from-zone unTrustZone to-zone trustZone policy Policy] then log 
session-close 


Related + Configuring SSH on the Evaluated Configuration on page 26 


D tati 
ey Micntenon « Sample Syslog Server Configuration on a Linux System on page 67 
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CHAPTER 5 


Configuring Traffic Filtering Rules 


« Understanding Protocol Support on page 35 

¢ Configuring Traffic Filter Rules on page 36 

¢ Configuring Default Deny-All and Reject Rules on page 37 

- Logging the Dropped Packets Using Default Deny-all Option on page 38 


¢ Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP 
Packets on page 38 


« Configuring Default Reject Rules for Source Address Spoofing on page 39 
¢ Configuring Default Reject Rules with IP Options on page 40 
¢ Configuring Default Reject Rules on page 41 








¢ Configuring the Device to Drop Unassigned IPv6 Packets on page 41 


Understanding Protocol Support 


You can configure the devices running Junos OS to perform stateful network traffic 
filtering on network packets using network traffic protocols and network fields as 
described in Table 3 on page 29. 


Table 6: Network Traffic Protocols and Fields 


Protocol or RFC Fields 


ICMP v4 - RFC 792, Internet Control Message Protocol version + Type 
4 « Code 





ICMPv6 - RFC 4443, Internet Control Message Protocolversion «+ Type 
6 « Code 





IPv4 - RFC 791, Internet Protocol e Source address 
« Destination address 
« Transport Layer Protocol 





IPv4 - RFC 2460, Internet Protocol « Source address 
¢ Destination address 
¢ Transport Layer Protocol 
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Table 6: Network Traffic Protocols and Fields (continued) 


Protocol or RFC Fields 


TCP - RFC 793, Transmission Control Protocol « Source port 
e¢ Destination port 





UDP - RFC 768, User Datagram Protocol e Source port 
e Destination port 


The following protocols are also supported on devices running Junos OS and are a part 
of this evaluation. 


+ SSH 

« IPsec 

« IKE 

The following protocols are supported on devices running Junos OS but are not included 
in the scope of this evaluation. 

« OSPF 

- BGP 

» RIP 


Configuring Traffic Filter Rules 


Traffic filter rules can be configured on a device to enforce validation against protocols 
attributes and direct traffic accordingly to the configured attributes. These rules are 
based on zones on which network interfaces are bound. 


The following procedure describes how to configure traffic filter rules to direct FTP traffic 
from source trustZone to destination untrustZone and from source network trustLan to 
destination network untrustLan. Here, traffic is traversing from the devices interface A 
on trustZone to interface B on untrustZone. 


1. Configure a zone and its interfaces. 


[edit] 
user@host# set security zones security-zone trustLan interfaces ge-O/0/0 


2. Configure the security policy in the specified zone-to-zone direction and specify the 
match criteria. 


[edit security policies 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application ftp 
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3. Configure the security policy in the specified zone-to-zone direction and specify the 
action to take when a packet matches a criteria. 


[edit security policies 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones and 
trustLan and untrustLan are preconfigured network addresses. 


Related «- Understanding Protocol Support on page 35 
Documentation 


Configuring Default Deny-All and Reject Rules 


By default, security devices running Junos OS deny traffic unless rules are explicitly created 
to allow it using the following command: 


[edit] 
user@host#set security policies default-policy deny-all 


You can configure your security devices running Junos OS to enforce the following default 
reject rules with logging on all network traffic: 


- Invalid fragments 
- Fragmented IP packets that cannot be reassembled completely 
- Where the source address is equal to the address of the network interface 


- Where the source address does not belong to the networks associated with the network 
interface 


« Where the source address is defined as being on a broadcast network 
« Where the source address is defined as being on a multicast network 
« Where the source address is defined as being a loopback address 

« Where the source address is a multicast packet 

« Where the source or destination address is a link-local address 


- Where the source or destination address is defined as being an address “reserved for 
future use” as specified in RFC 5735 for IPv4 


« Where the source or destination address is defined as an “unspecified address” or an 
address “reserved for future definition and use” as specified in RFC 3513 for IPv6 


- With the IP option Loose Source Routing, Strict Source Routing, or Record Route is 
specified 


Copyright © 2018, Juniper Networks, Inc. ai 


Common Criteria Evaluated Configuration Guide for SRX Series Security Devices 


Logging the Dropped Packets Using Default Deny-all Option 


The evaluated configuration device drops all IPv6 traffic by default. This topic describes 
how to log packets dropped by this default deny-all option. 


Before you begin, log in with your root account on a Junos OS device running Junos 
OS Release 12.3X48-D30 and edit the configuration. 


@ NOTE: You can enter the configuration commands in any order and commit 
all the commands at once. 


To log packets dropped by the default deny-all option: 


}. Configure a network security policy in a global context and specify the security policy 
match criteria. 


[edit security policy] 
user@host# set global policy always-last-default-deny-and-log match source-address 
any destination-address any application any 


2. Specify the policy action to take when the packet matches the criteria. 


[edit security policy] 
user@host# set global policy always-last-default-deny-and-log then deny 


3. Configure the security policy to enable logs at the session initialization time. 


[edit security policy] 
user@host# set global policy always-last-default-deny-and-log then log session-init 


@ NOTE: This procedure might capture a very large amount of data until you 
have configured the other policies. 


To permit all IPv6 traffic into an SRX Series device, configure the device with flow-based 
forwarding mode. While the default policy in flow-based forwarding mode is still to drop 
all IPv6 traffic, you can now add rules to permit selected types of IPv6 traffic. 


user@host# set security forwarding-options family inet6 mode flow-based 


Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets 


This topic describes how to configure mandatory reject rules for invalid fragments and 
fragmented IP packets that cannot be reassembled. 
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Before you begin, log in with your root account on a Junos OS device running Junos 
OS Release 12.3X48-D30 and edit the configuration. 


@ NOTE: You can enter the configuration commands in any order and commit 
all the commands at once. 


To configure mandatory reject rules: 


1. Specify the flow configuration to forcefully reassemble the IP fragments. 


[edit] 
user@host# set security flow force-ip-reassembly 


2. Delete the screen ID and the IDS options and enable the ICMP fragment IDS option. 
[edit] 
user@host# delete security screen ids-option trustScreen icmp fragment 


3. Delete the IP layer IDS option and enable the IP fragment blocking IDS option. 


[edit] 
user@host# delete security screen ids-option trustScreen ip block-frag 


Configuring Default Reject Rules for Source Address Spoofing 


The following guidelines describe when to configure the default reject rules for source 
address spoofing: 


« When the source address is equal to the address of the network interface where the 
network packet was received. 


- When the source address does not belong to the networks associated with the network 
interface where the network packet was received. 


- When the source address is defined as being on a broadcast network. 


Before you begin, log in with your root account on a Junos OS device running Junos 
OS Release 12.3X48-D30 and edit the configuration. 


@ NOTE: You can enter the configuration commands in any order and commit 
all the commands at once. 

To configure default reject rules to log source address spoofing: 

1. Configure the security screen features and enable the IP address spoofing IDS option. 


[edit] 
user@host# set security screen ids-option trustScreen ip spoofing 
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2. Specify the name of the security zone and the IDS option object applied to the zone. 


[edit] 
user@host# set security zones security-zone trustZone screen trustScreen 


Configuring Default Reject Rules with IP Options 


40 


This topic describes how to configure default reject rules with IP options. The IP options 
enable the device to either block any packets with loose or strict source route options or 
detect such packets and then record the event in the counters list for the ingress interface. 


Before you begin, log in with your root account to an SRX Series device running Junos 
OS Release 12.3X48-D30. 


@ NOTE: You can enter the configuration commands in any order and commit 
all the commands at once. 


To configure the default reject rules with IP options: 


]. Configure the screen features to enable IP options. 


[edit security screen ids-option trustScreen] 
user@host# set ip source-route-option 
user@host# set ip loose-source-route-option 
user@host# set ip strict-source-route-option 
user@host# set ip record-route-option 


2. Specify the name of the security zone and the IDS option object applied to the zone. 


[edit] 
user@host# set security zones security-zone trustZone screen trustScreen 
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Configuring Default Reject Rules 


The following guidelines describe when to configure the default reject rules: 


« Source address is defined on a multicast network, a loopback address, or a multicast 
address. 


- The source or destination address of a packet is a link-local address, an address 
“reserved for future Use” as specified in RFC 5735 for IPv4, an “unspecified address” or 
an address “reserved for future definition and use” as specified in RFC 3513 for IPv6. 


- Anillegal or out-of-sequence TCP packet is received. 


Before you begin, log in with your root account on a Junos OS device running Junos 
OS Release 12.3X48-D30 and edit the configuration. 


@ NOTE: Youcan enter the configuration commands in any order and commit 
all the commands at once. 


To configure default reject rules: 


}. Configure the security screen features and enable the IP address spoofing IDS option. 


[edit security] 
user@host# set security screen ids-option trustScreen ip spoofing 


2. Configure the security flow feature to log the dropped illegal packets. 


[edit security] 
user@host# set security flow log dropped-illegal-packet 


3. Specify the name of the security zone and the IDS option object applied to the zone. 


[edit security] 
user@host# set security zones security-zone trustZone screen trustScreen 


4. Configure the mandatory TCP reject rule. 


[edit security] 
user@host# set security flow tcp-session strict-syn-check 


Configuring the Device to Drop Unassigned IPv6 Packets 


Before you configure the device to drop unassigned IPv6 packets, check the default 
configuration status of the device. From the operational mode enter the show usp flow 
configuration command. 


Inthe output, the advanced options no_drop_unassigned_ipv6_address: disabled (default) 
option indicates that by default the device drops unassigned IPv6 packets. 


Copyright © 2018, Juniper Networks, Inc. 4] 


Common Criteria Evaluated Configuration Guide for SRX Series Security Devices 


To enable the device to drop unassigned IPv6 packets, use the following command: 


user@host# set security flow advanced-options no-drop-unassigned-ipv6-address 
user@host# commit 


To enable users to revert to the default configuration, Use the following command: 


user@host# delete security flow advanced-options no-drop-unassigned-ipv6-address 
user@host# commit 
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Contiguring Security Flow Policies 


« Understanding a Security Flow Policy on a Device Running JUunos OS on page 43 


Understanding a Security Flow Policy on a Device Running Junos OS 


You can define a security flow policy on a device running Junos OS to inspect and process 
network packets. The device can permit, deny, and log operations to be associated with 
each policy. Each of these policies are associated to zones on which distinct network 
interfaces are bound. 


The following modes can be defined for a security flow policy to determine how a device 
directs traffic: 


- Bypass—The Permit option directs the traffic traversing the device through the stateful 
firewall inspection, but not through the IPsec VPN tunnel. 


« Discard—The Deny option inspects and drops all packets that do not match any Permit 
policies. 


+ Protect—The traffic is routed through an IPsec tunnel based on the combination of 
route lookup and Permit policy inspection. 


« Log—This option logs traffic and session information for all the modes mentioned 
above. 


The following sections describe how to configure a security policy for each of these 
modes: 


e Configuring a Security Flow Policy in Firewall Bypass Mode on page 43 
e Configuring a Security Policy in Firewall Discard Mode on page 44 


e Configuring a Security Flow Policy in IPsec Protect Mode on page 44 


Configuring a Security Flow Policy in Firewall Bypass Mode 


To configure a security flow policy for firewall bypass mode: 


« Configure the security policies. 


{edit security policies] 
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user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 
junos-ssh is an example of a Junos OS default predefined application that 
can be configured in a security policy to enforce SSH traffic. 


Configuring a Security Policy in Firewall Discard Mode 


To configure a security flow policy for firewall discard mode: 


« Configure the security policies. 


[edit security policies] 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
source-address untrustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
destination-address trustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
application junos-telnet 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then deny 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-init 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then 
session-close 


@ NOTE: Here, trustZone and untrustZone are the preconfigured security 
zones and trustLan and untrustLan are preconfigured network addresses. 
junos-telnet is an example of a Junos OS default predefined application 
that can be configured in a security policy to enforce Telnet traffic. 


Configuring a Security Flow Policy in IPsec Protect Mode 


To configure a security flow policy for IPSec protect mode: 


1. Configure the VPN. 


[edit] 
user@host# set security ipsec vpn vpn! ike gateway gw] 
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user@host# set security ipsec vpn vpn ike ipsec-policy ipsec-policy] 

user@host# set security ipsec vpn vpni bind-interface st0O.O 

user@host# set routing-options static route 198.51.100.14/24 qualified-next-hop st0.0 
preference 1 


@ NOTE: Here, gw] and ipsec-policyl are preconfigured IKE and IPsec policies. 


2. Configure the security policies. 


[edit security policies] 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 


and trustLan and untrustLan are preconfigured network addresses. 





e Configuring VPN on a Device Running Junos OS on page 47 
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Configuring VPNs 


« Configuring VPN on a Device Running Junos OS on page 47 


Configuring VPN on a Device Running Junos OS 


This section describes sample configurations of an|Psec VPN ona Junos OS device using 
the following IKE authentication methods: 


e Configuring an IPsec VPN with a Preshared Key for IKE Authentication on page 49 
¢« Configuring an IPsec VPN with an RSA Signature for IKE Authentication on page 55 
« Configuring an IPsec VPN with an ECDSA Signature for IKE Authentication on page 61 


Figure 2 on page 47 illustrates the VPN topology used in all the examples described in 
this section. Here, HO and H1 are the host PCs, RO and R2 are the two endpoints of the 
IPsec VPN tunnel, and R1 is a router to route traffic between the two different networks. 


@ NOTE: The router R1 can be a Linux-based router, a Juniper Networks device, 
or any other vendor router. 


Figure 2: VPN Topology 


192.0.2.3 192.0.2.2 192.0.2.5 192.0.2.6 192.0.2.9 192.0.2.8 192.0.2.11  192.0.2.12 
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Table 7 on page 48 provides a complete list of the supported IKE protocols, tunnel modes, 
Phase 1 negotiation mode, authentication method or algorithm, encryption algorithm, 
DH groups supported for the IKE authentication and encryption (Phasel, IKE Proposal), 
and for IPsec authentication and encryption (Phase2, IPsec Proposal). The listed protocols, 
modes, and algorithms are supported and required for 12.3X48-D30 Common Criteria. 


Table 7: VPN Combination Matrix 


|=) ato\=\= a do) of e}=t-1 0 Gnd Pl d=) 





Phasel 
Tunnel | Negotiation Authentication Encryption 
WiKefe (=) Wife (=) PANU dal=layd(er-1d (olay (-isalere| PN (=fo)didalan DH Group PNT =folaiaalaa) 
IKEv1 Main Route pre-shared-keys sha-256 groupl4 aes-128-cbc 
IKEv2 rsa-signatures-2048 sha-384 group19 aes-128-gcm = 
ecdsa-signatures-256 group20 aes-192-cbc 
ecdsa-signatures-384 group24 aes-256-cbc 


aes-256-gcm 


3des-cbc 





Phase 2 Proposal (P2, IPsec) 





Phasel 
IKE Tunnel | Negotiation 1B) RG) ce}e] 0) = alot ay] eae) a) Encryption 
Protocol | Mode Mode PNUidal=\aia(ot-ti(olaW-\s=eldidayaa) ((5s)) W/eidaloye| PN (fo) divalaa) 
IKEv1 Main Route hmac-shal-96 groupl4 ESP aes-128-cbc 7 
IKEv2 hmac-sha256-128 groupl9 aes-128-gcm = 
group20 aes-192-cbc ~ 
group24 aes-192-scm 7 
aes-256-cbc 


aes-256-gcm 


3des-cbc 
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@ NOTE: The following sections provide sample configurations of IKEv] IPsec 

- VPN examples for selected algorithms. Authentication and encryption 
algorithms can be replaced in the configurations to accomplish the user’s 
desired configurations. Use set security ike gateway <gw-name> version v2-only 
command for IKEv2 IPsec VPN. 


Configuring an IPsec VPN with a Preshared Key for IKE Authentication 


In this section, you configure devices running Junos OS for IPsec VPN using a preshared 
key as the IKE authentication method. The algorithms used in IKE or IPsec authentication 
or encryption is shown in Table 8 on page 49 


Table 8: IKE or IPsec Authentication and Encryption 


Phase 1 Proposal (P1, IKE) 


Phasel 
IKE Tunnel | Negotiation PNUjdal=lahd(or-1a loyal Encryption 
Protocol | Mode Mode VNUjdal=\aud(ot-14le)aM\V/(=1aalele| yN{=fo)divalag DH Group ON {=fo)divalaa 





IKEv1 Main Route pre-shared-keys sha-256 groupl4 aes-256-cbc 





Phase 2 Proposal (P2, IPsec) 


Phasel 
IKE Tunnel | Negotiation 1D) Ci ce)e) 6) = aot a, @1a Le) a) = aYel aV/ ej a(e) a) 
Protocol | Mode Mode PNUjidal=\ad(ot-1de)aw-\b-ce)eidalan| (es) W/fe1a aero! PN {=fo)didalaa 





IKEv1 Main Route hmac-sha-256-128 groupl4 ESP aes-256-cbc 








@ NOTE: A device running Junos OS uses preshared keys for IPsec (no other 
‘ protocols). TOE accepts ASCII preshared or bit-based keys up to 255 
characters (and their binary equivalents) that contain uppercase and 
lowercase letters, numbers, and special characters such as !, @, #, $, %, *, 
&, * (, and ). The device accepts the preshared text keys and converts the 
text string into an authentication value as per RFC 2409 for IKEv1 or RFC 
4306 for IKEv2, using the PRF that is configured as the hash algorithm for 
the IKE exchanges. 


Configuring IPsec VPN with Preshared Key as IKE Authentication on the Initiator 


To configure the IPsec VPN with preshared key IKE authentication on the initiator: 


1. Configure the IKE proposal. 


[edit security ike] 

user@host# set proposal ike-proposall authentication-method pre-shared-keys 
user@host# set proposal ike-proposall dh-group group14 

user@host# set proposal ike-proposall authentication-algorithm sha256 
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user@host# set proposal ike-proposall encryption-algorithm aes-256-cbc 


@ NOTE: Here, ike-proposall is the IKE proposal name given by the authorized 
administrator. 


2. Configure the IKE policy. 


[edit] 
user@host# set security ike policy ike-policy] mode main 
user@host# set security ike policy ike-policy] proposals ike-proposall 


@ NOTE: Here, ike-policy] is the IKE policy name and ike-proposall is the IKE 
proposal name given by the authorized administrator. 


user@host# prompt security ike policy ike-policy] pre-shared-key ascii-text 
New ascii-text (secret): 
Retype new ascii-text (secret): 


@ NOTE: You must enter and reenter the preshared key when prompted. 
For example, the preshared key can be CertSqa@jnpr2014. 


@ NOTE: The preshared key can alternatively be entered in hexadecimal 
format. For example: 


[edit] 

user@host# prompt security ike policy ike-policy]l hexadecimal 
New hexadecimal (secret): 

Retype new hexadecimal (secret) (secret): 


Here, the hexadecimal preshared key can be cc2014bae9876543. 


3. Configure the IPsec proposal. 


[edit security ipsec] 

user@host# set security proposal ipsec-proposall protocol esp 

user@host# set security proposal ipsec-proposall authentication-algorithm 
hmac-sha-256-128 

user@host# set security proposal ipsec-proposall encryption-algorithm aes-256-cbc 


@ NOTE: Here, ipsec-proposall is the IPsec proposal name given by the 
authorized administrator. 


4. Configure the IPsec policy. 


[edit security ipsec] 
user@host# set security policy ipsec-policy] perfect-forward-secrecy keys group14 
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user@host# set security policy ipsec-policy] proposals ipsec-proposall 


@ NOTE: Here, ipsec-policy] is the IPsec policy name and ipsec-proposall is 
the IPsec proposal name given by the authorized administrator. 


5. Configure the IKE. 


[edit security ike] 

user@host# set gateway gw] ike-policy ike-policy] 
user@host# set gateway gwl address 192.0.2.8 
user@host# set gateway gw! local-identity inet 192.0.2.5 
user@host# set gateway gw] external-interface ge-0/0/2 


QD NOTE: Here, gw is an IKE gateway name, 192.0.2.8 is the peer VPN 
endpoint IP, 192.0.2.5 is the local VPN endpoint IP, and ge-0/0/2 is a local 
outbound interface as the VPN endpoint. The following additional 
configuration is also needed in the case of IKEv2 


[edit security ike] 
user@host# set gw] version v2-only 


6. Configure the VPN. 


[edit] 

user@host# set security ipsec vpn vpn! ike gateway gw] 

user@host# set security ipsec vpn vpn ike ipsec-policy ipsec-policy] 

user@host# set security ipsec vpn vpn! bind-interface st0O.O 

user@host# set routing-options static route 192.0.2.10/24 qualified-next-hop st0.0 
preference 1 


QD NOTE: Here, vpn is the VPN tunnel name given by the authorized 
administrator. 


7. Configure the outbound flow policies. 


[edit security policies] 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then 
session-close 
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QD NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 


8. Configure the inbound flow policies. 


[edit security policies] 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
source-address untrustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
destination-address trustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
application any 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then permit 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-init 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 


9. Commit your configuration. 


user@host# commit 


Configuring IPsec VPN with Preshared Key as IKE Authentication on the Responder 


To configure the IPsec VPN with preshared key IKE authentication on the responder: 


1. Configure the IKE proposal. 


[edit security ike] 

user@host# set proposal ike-proposall authentication-method pre-shared-keys 
user@host# set proposal ike-proposall dh-group group14 

user@host# set proposal ike-proposall authentication-algorithm sha256 
user@host# set proposal ike-proposall encryption-algorithm 3des-cbc 


@ NOTE: Here, ike-proposall is the IKE proposal name given by the authorized 
administrator. 


2. Configure the IKE policy. 


[edit] 
user@host# set security ike policy ike-policy] mode main 
user@host# set security ike policy ike-policy] proposals ike-proposall 
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@ NOTE: Here, ike-policy] is the IKE policy name and ike-proposall is the IKE 
proposal name given by the authorized administrator. 


user@host# prompt security ike policy ike-policy] pre-shared-key ascii-text 
New ascii-text (secret): 
Retype new ascii-text (secret): 


@ NOTE: You must enter and reenter the preshared key when prompted. 
For example, the preshared key can be CertSqa@jnpr2014. 


@ NOTE: The pre-share key could alternatively be entered in hexadecimal 
format. For example, 


user@host# prompt security ike policy ike-policy] hexadecimal 
New hexadecimal (secret): 
Retype new hexadecimal (secret) (secret): 


Here, the hexadecimal preshared key can be cc2014bae9876543. 


3. Configure the IPsec proposal. 


[edit security ipsec] 

user@host# set proposal ipsec-proposall protocol esp 

user@host# set proposal ipsec-proposall authentication-algorithm hmac-sha-256-128 
user@host# set proposal ipsec-proposall encryption-algorithm 3des-cbc 


@ NOTE: Here, ipsec-proposall is the IPsec proposal name given by the 
authorized administrator. 


4. Configure the IPsec policy. 


[edit security ipsec] 
user@host# set policy ipsec-policy] perfect-forward-secrecy keys group14 
user@host# set policy ipsec-policy] proposals ipsec-proposall 


@ NOTE: Here, ipsec-policy] is the IPsec policy name and ipsec-proposall is 
the IPsec proposal name given by the authorized administrator. 


5. Configure the IKE. 


[edit security ike] 

user@host# set gateway gw] ike-policy ike-policy] 
user@host# set gateway gw] address 192.0.2.5 
user@host# set gateway gw local-identity inet 192.0.2.8 
user@host# set gateway gw] external-interface ge-0/0/2 
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QD NOTE: Here, gw1is an IKE gateway name, 192.0.2.5 is the peer VPN 


endpoint IP, 192.0.2.8 is the local VPN endpoint IP, and ge-0/0/2 is a local 
outbound interface as the VPN endpoint. The following additional 
configuration is also needed in the case of IKEv2. 


[edit security ike] 
user@host# set gw] version v2-only 


6. Configure the VPN. 


[edit] 

user@host# set security ipsec vpn vpn! ike gateway gw] 

user@host# set security ipsec vpn vpn ike ipsec-policy ipsec-policy] 

user@host# set security ipsec vpn vpn! bind-interface st0.0 

user@host# set routing-options static route 192.0.2.7/24 qualified-next-hop st0.0 
preference 1 


@ NOTE: Here, vpni is the VPN tunnel name given by the authorized 


administrator. 


7. Configure the outbound flow policies. 


[edit security policies] 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 


and trustLan and untrustLan are preconfigured network addresses. 


8. Configure the inbound flow policies. 


[edit security policies] 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
source-address untrustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
destination-address trustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
application any 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then permit 
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user@host# set from-zone untrustZone to-zone trustZone policy policy! then log 
session-init 

user@host# set from-zone untrustZone to-zone trustZone policy policy! then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 


9. Commit your configuration. 


user@host# commit 


Configuring an IPsec VPN with an RSA Signature for IKE Authentication 


The following section provides an example to configure Junos OS devices for IPsec VPN 
using RSA Signature as IKE Authentication method, whereas, the algorithms used in 
IKE/IPsec authentication/encryption is as shown in the following table. In this section, 
you configure devices running Junos OS for IPsec VPN using an RSA signature as the IKE 
authentication method. The algorithms used in IKE or IPsec authentication or encryption 
is shown in Table 9 on page 55. 


Table 9: IKE/IPsec Authentication and Encryption 


Phase 1 Proposal (P1, IKE) 


Phasel 
Tunnel | Negotiation PNUidal=lahd (or 1aleyal Encryption 
Wifefe (=) Wikefe (=) yNUjidal=\ad(et-1dle)aM (1d alele| ON (fo) divalag DH Group ON (fo) didalag) 





IKEv1 Main Route rsa-signatures-2048 sha-256 groupl4 aes-128-cbc 





Phase 2 Proposal (P2, IPsec) 
Phasel 


IKE Tunnel | Negotiation 1D) Cice)0) e) = alot a] @1ale) a) = avel aV/ e)a(e) a) 
Protocol | Mode Wieye =) PNUjdal=\aua(ot-1dle)aw-\b-celeidalan| (es) W/fe1datere| IN {=fo)didalaa 





IKEv1 Main Route hmac-sha-256-128 group19 ESP aes-128-cbc 





Configuring IPsec VPN with RSA Signature as IKE Authentication on the Initiator 


To configure the IPsec VPN with RSA signature IKE authentication on the initiator: 


1. Configure the PKI. See Example: Configuring PKI. 
2. Generate the RSA key pair. See Example: Generating a Public-Private Key Pair. 


3. Generate and load the CA certificate. See Example: Loading CA and Local Certificates 
Manually. 
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. Load the CRL. See Example: Manually Loading a CRL onto the Device . 


. Generate and load a local certificate. See Example: Loading CA and Local Certificates 


Manually. 


. Configure the IKE proposal. 


[edit security ike] 

user@host# set proposal ike-proposall authentication-method rsa-signatures 
user@host# set proposal ike-proposall dh-group group19 

user@host# set proposal ike-proposall authentication-algorithm sha-256 
user@host# set proposal ike-proposall encryption-algorithm aes-128-cbc 


@ NOTE: Here, ike-proposall is the name given by the authorized 
administrator. 


Configure the IKE policy. 


[edit security ike] 

user@host# set policy ike-policy] mode main 

user@host# set policy ike-policyl proposals ike-proposall 
user@host# set policy ike-policy] certificate local-certificate cert] 


@ NOTE: Here, ike-policyl IKE policy name given by the authorized 
administrator. 


. Configure the IPsec proposal. 


[edit security ipsec] 

user@host# set proposal ipsec-proposall protocol esp 

user@host# set proposal ipsec-proposall authentication-algorithm hmac-sha-256-128 
user@host# set ipsec-proposall encryption-algorithm aes-128-cbc 


@ NOTE: Here, ipsec-proposall is the name given by the authorized 
administrator. 


. Configure the IPsec policy. 


[edit security ipsec] 
user@host# set policy ipsec-policy] perfect-forward-secrecy keys group19 
user@host# set policy ipsec-policy] proposals ipsec-proposall 


@ NOTE: Here, ipsec-policy] is the name given by the authorized 
administrator. 
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10. Configure the IKE. 


[edit security ike] 

user@host# set gateway gw] ike-policy ike-policy] 
user@host# set gateway gw] address 192.0.2.8 
user@host# set gateway gw! local-identity inet 192.0.2.5 
user@host# set gateway gw] external-interface fe-0/0/1 


@ NOTE: Here, 192.0.2.8 is the peer VPN endpoint IP, 192.0.2.5 is the local 
VPN endpoint IP, and fe-0/0/1 is the local outbound interface as VPN 
endpoint. The following configuration is also needed for IKEv2. 


[edit security ike] 
user@host# set gw] version v2-only 


ll. Configure VPN. 


[edit security ipsec] 

user@host# vpn vpn! ike gateway gw] 

user@host# vpn vpn] ike ipsec-policy ipsec-policy] 
user@host# vpn vpn! bind-interface st0.0 


@ NOTE: Here, vpn is the VPN tunnel name given by the authorized 
administrator. 


user@host# set routing-options static route 192.0.2.10/24 qualified-next-hop st0.0 
preference 1 


12. Configure the outbound flow policies. 


[edit security policies] 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zone 
and trustLan and untrustLan are preconfigured network addresses. 


13. Configure the inbound flow policies. 


[edit security policies] 
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user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
source-address untrustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
destination-address trustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
application any 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then permit 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-init 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 


14. Commit the configuration. 
[edit] 
user@host# commit 
Configuring IPsec VPN with RSA Signature as IKE Authentication on the Responder 


To configure the IPsec VPN with the RSA signature IKE authentication on the responder: 


1. Configure the PKI. See Example: Configuring PKI. 
2. Generate the RSA key pair. See Example: Generating a Public-Private Key Pair. 


3. Generate and load CA certificate. See Example: Loading CA and Local Certificates 
Manually. 


4. Load the CRL. See Example: Manually Loading a CRL onto the Device. 


5. Generate and load a local certificate. See Example: Loading CA and Local Certificates 
Manually. 


6. Configure the IKE proposal. 


[edit security ike] 

user@host# set proposal ike-proposall authentication-method rsa-signatures 
user@host# set proposal ike-proposall dh-group group19 

user@host# set proposal ike-proposall authentication-algorithm sha-256 
user@host# set proposal ike-proposall encryption-algorithm aes-128-cbc 


@ NOTE: Here, ike-proposall is the name given by the authorized 
administrator. 
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7. Configure the IKE policy. 


[edit security ike] 

user@host# set policy ike-policy] mode main 

user@host# set policy ike-policyl proposals ike-proposall 
user@host# set policy ike-policy] certificate local-certificate cert] 


@ NOTE: Here, ike-policyl IKE policy name given by the authorized 
administrator. 


8. Configure the IPsec proposal. 


[edit security ipsec] 

user@host# set proposal ipsec-proposall protocol esp 

user@host# set proposal ipsec-proposall authentication-algorithm hmac-sha-256-128 
user@host# set ipsec-proposall encryption-algorithm aes-128-cbc 


a NOTE: Here, ipsec-proposall is the name given by the authorized 
administrator. 


9. Configure the IPsec policy. 


[edit security ipsec] 
user@host# set policy ipsec-policy] perfect-forward-secrecy keys group19 
user@host# set policy ipsec-policy] proposals ipsec-proposall 


@ NOTE: Here, ipsec-policy] is the name given by the authorized 
administrator. 


10. Configure IKE. 
[edit security ike] 
user@host# set gateway gw] ike-policy ike-policy] 
user@host# set gateway gw] address 192.0.2.5 


user@host# set gateway gw local-identity inet 192.0.2.8 
user@host# set gateway gw] external-interface ge-0/0/2 


® NOTE: Here, 192.0.2.5 is the peer VPN endpoint IP, 192.0.2.8 is the local 
VPN endpoint IP, and ge-0/0/2 is the local outbound interface as VPN 
endpoint. The following configuration is also needed for IKEv2. 


[edit security ike] 
user@host# set gw] version v2-only 


ll. Configure VPN. 
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[edit security ipsec] 

user@host# vpn vpn! ike gateway gw] 

user@host# vpn vpn] ike ipsec-policy ipsec-policy] 
user@host# vpn vpn! bind-interface st0.0 


@ NOTE: Here, vpn is the VPN tunnel name given by the authorized 
administrator. 
user@host# set routing-options static route 192.0.2.1/24 qualified-next-hop st0.0 
preference 1 


12. Configure the outbound flow policies. 


[edit security policies] 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are network addresses. 


13. Configure the inbound flow policies. 


[edit security policies] 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
source-address untrustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
destination-address trustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
application any 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then permit 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-init 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 


14. Commit the configuration. 
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[edit] 
user@host# commit 


Configuring an IPsec VPN with an ECDSA Signature for IKE Authentication 


In this section, you configure devices running Junos OS for IPsec VPN using an ECDSA 
signature as the IKE authentication method. The algorithms used in IKE or IPsec 
authentication or encryption are shown in Table 10 on page 61. 


Table 10: IKE or IPsec Authentication and Encryption 


Phase 1 Proposal (P1, IKE) 


Phasel 
IKE Negotiation Authentication = aYol aY/ ei a(e) a) 
Protocol Wifefe (=) VNU dal=laud(et-1dle)aM\V/(=1dalele| PN (Zo) didalaa DH Group ON {=fo)didalag 





IKEv1 Main Route ecdsa-signatures-256 sha-384 groupl4 aes-256-cbc 


Phase 2 Proposal (P2, IPsec) 
Phasel 


IKE Tunnel | Negotiation DH Group = aol a, @1ale) a) = gel aV/ e)a(e) a) 
Protocol | Mode WiKeye (=I PNUjdal=\aia(er-1ile)aw-Ne-fo)aidalan| (es) W/fe1a aero! IN (=fo)didalaa 





IKEv1 Main Route hmac-sha-256-128 group14 ESP aes-256-gcm 


Configuring [IPsec VPN with ECDSA signature IKE authentication on the Initiator 


To configure the IPsec VPN with ECDSA signature IKE authentication on the initiator: 


1. Configure the PKI. See, Example: Configuring PKI. 
2. Generate the ECDSA key pair. See Example: Generating a Public-Private Key Pair. 


3. Generate and load CA certificate. See Example: Loading CA and Local Certificates 
Manually. 


4. Load CRL. See Example: Manually Loading a CRL onto the Device. 


5. Generate and load a local certificate. See Example: Loading CA and Local Certificates 
Manually. 


6. Configure the IKE proposal. 


[edit security ike] 

user@host# set proposal ike-proposall authentication-method ecdsa-signatures-256 
user@host# set proposal ike-proposall dh-group group14 

user@host# set proposal ike-proposall authentication-algorithm sha-384 
user@host# set proposal ike-proposall encryption-algorithm aes-256-cbc 
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QD NOTE: Here, ike-proposall is the IKE proposal name given by the authorized 
administrator. 


7. Configure the IKE policy. 


[edit security ike] 

user@host# set policy ike-policy] mode main 

user@host# set policy ike-policy]l proposals ike-proposall 
user@host# set policy ike-policy] certificate local-certificate cert] 


8. Configure the IPsec proposal. 


[edit security ipsec] 

user@host# set proposal ipsec-proposall protocol esp 

user@host# set proposal ipsec-proposall authentication-algorithm hmac-sha-256-128 
user@host# set proposal ipsec-proposall encryption-algorithm aes-256-gcm 


@ NOTE: Here, ipsec-proposall is the IPsec proposal name given by the 
authorized administrator. 


9. Configure the IPsec policy. 


[edit security ipsec] 
user@host# set policy ipsec-policy] perfect-forward-secrecy keys group14 
user@host# set policy ipsec-policy] proposals ipsec-proposall 


@ NOTE: Here, ipsec-policy] is the IPsec policy name and ipsec-proposall is 
the IPsec proposal name given by the authorized administrator. 


10. Configure IKE. 
[edit security ike] 
user@host# set gateway gw] ike-policy ike-policy] 
user@host# set gateway gw] address 192.0.2.8 


user@host# set gateway gw! local-identity inet 192.0.2.5 
user@host# set gateway gw] external-interface ge-0/0/2 


@ NOTE: Here, gw is an IKE gateway name, 192.0.2.8 is the peer VPN 
endpoint IP, 192.0.2.5 is the local VPN endpoint IP, and ge-0/0/2 is a local 
outbound interface as the VPN endpoint. The following configuration is 
also needed for IKEv2. 


[edit security ike] 
user@host# set gw] version v2-only 
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ll. Configure the VPN. 


[edit] 

user@host# set security ipsec vpn vpn! ike gateway gw] 

user@host# set security ipsec vpn vpn ike ipsec-policy ipsec-policy] 

user@host# set security ipsec vpn vpn! bind-interface st0O.O 

user@host# set routing-options static route 192.0.2.10/24 qualified-next-hop st0.0 
preference 1 


@ NOTE: Here, vpn is the VPN tunnel name given by the authorized 
administrator. 


12. Configure the outbound flow policies. 


[edit security policies] 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 


13. Configure the inbound flow policies. 


[edit security policies] 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
source-address untrustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
destination-address trustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
application any 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then permit 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-init 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 
and trustLan and untrustLan are preconfigured network addresses. 
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14. Commit your configuration. 


user@host# commit 


Configuring IPsec VPN with ECDSA signature IKE authentication on the Responder 
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To configure IPsec VPN with ECDSA signature IKE authentication on the responder: 


1. Configure the PKI. See Example: Configuring PKI. 
2. Generate the ECDSA key pair. See Example: Generating a Public-Private Key Pair. 


3. Generate and load the CA certificate. See Example: Loading CA and Local Certificates 
Manually. 


4. Load the CRL. See Example: Manually Loading a CRL onto the Device. 


5. Configure the IKE proposal. 


[edit security ike] 

user@host# set proposal ike-proposall authentication-method ecdsa-signatures-256 
user@host# set proposal ike-proposall dh-group group14 

user@host# set proposal ike-proposall authentication-algorithm sha-384 
user@host# set proposal ike-proposall encryption-algorithm aes-256-cbc 


@ NOTE: Here, ike-proposall is the IKE proposal name given by the authorized 
administrator. 


6. Configure the IKE policy. 


[edit security ike] 

user@host# set policy ike-policy] mode main 

user@host# set policy ike-policy] proposals ike-proposall 
user@host# set policy ike-policy] certificate local-certificate cert] 


7. Configure the IPsec proposal. 


[edit security ipsec] 

user@host# set proposal ipsec-proposall protocol esp 

user@host# set proposal ipsec-proposall authentication-algorithm hmac-sha-256-128 
user@host# set proposal ipsec-proposall encryption-algorithm aes-256-gcm 


@ NOTE: Here, ipsec-proposall is the IPsec proposal name given by the 
authorized administrator. 


8. Configure the IPsec policy. 


[edit security ipsec] 
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user@host# set policy ipsec-policy] perfect-forward-secrecy keys group14 
user@host# set policy ipsec-policyl proposals ipsec-proposall 


QD NOTE: Here, ipsec-policy] is the IPsec policy name and ipsec-proposall is 
the IPsec proposal name given by the authorized administrator. 


9. Configure the IKE. 


[edit security ike] 

user@host# set gateway gw] ike-policy ike-policy] 
user@host# set gateway gw] address 192.0.2.5 
user@host# set gateway gw local-identity inet 192.0.2.8 
user@host# set gateway gw] external-interface ge-0/0/1 


@ NOTE: Here, gw1is an IKE gateway name, 192.0.2.5 is the peer VPN 
endpoint IP, 192.0.2.8 is the local VPN endpoint IP, and ge-0/0/1 is a local 
outbound interface as the VPN endpoint. The following configuration is 
also needed for IKEv2. 


[edit security ike] 
user@host# set gw] version v2-only 


10. Configure the VPN. 


[edit] 

user@host# set security ipsec vpn vpn! ike gateway gw] 

user@host# set security ipsec vpn vpn ike ipsec-policy ipsec-policy] 

user@host# set security ipsec vpn vpni bind-interface st0.0 

user@host# set routing-options static route 192.0.2.1/24 qualified-next-hop st0.0 
preference 1 


@ NOTE: Here, vpn is the VPN tunnel name given by the authorized 
administrator. 


ll. Configure the outbound flow policies. 


[edit security policies] 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
source-address trustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
destination-address untrustLan 

user@host# set from-zone trustZone to-zone untrustZone policy policy] match 
application any 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then permit 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-init 

user@host# set from-zone trustZone to-zone untrustZone policy policy] then log 
session-close 
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QD NOTE: Here, trustZone and untrustZone are preconfigured security zones 


and trustLan and untrustLan are preconfigured network addresses. 


12. Configure the inbound flow policies. 


[edit security policies] 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
source-address untrustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
destination-address trustLan 

user@host# set from-zone untrustZone to-zone trustZone policy policy] match 
application any 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then permit 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-init 

user@host# set from-zone untrustZone to-zone trustZone policy policy] then log 
session-close 


@ NOTE: Here, trustZone and untrustZone are preconfigured security zones 


and trustLan and untrustLan are preconfigured network addresses. 


13. Commit your configuration. 


user@host# commit 


« Sample Syslog Server Configuration on a Linux System on page 67 
e« Understanding a Security Flow Policy on a Device Running Junos OS on page 43 


e Public Key Infrastructure Feature Guide for Security Devices 
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Configuring the Remote Syslog Server 


« Sample Syslog Server Configuration on a Linux System on page 67 


- Forwarding Logs to the External Syslog Server on page 68 


Sample Syslog Server Configuration on a Linux System 


Before you begin, the Linux-based syslog server must be configured with the IP address 
and gateway, and the StrongSwan IPsec client must be installed on the syslog server to 
initiate a VPN connection with the Junos OS device. 


@ NOTE: The following procedure is just an example to show how to configure 
a syslog server on a Linux platform using the StrongSwan configuration to 
provide IPsec. 


To setup a StrongSwan configuration on the remote syslog server to provide IPsec VPN 
capability: 


). Modify the #tc/ipsec.secrets settings in accordance with the Junos OS device 
configuration. 


root@host# vi /etc/ipsec.secrets 198.51.100.2 198.51.100.1 : PSK “12345” 


2. Modify the #tc/ipsec.conf settings in accordance with the Junos OS device 
configuration. 


user@host# vi /etc/ipsec.conf 

config setup 
plutodebug=al1 
plutostart=yes 
nat_traversal=yes 

conn %default 
ikelifetime=60m 
keylife=20m 
rekeymargin=3m 
keyingtries=1 
authby=secret 
ike=aes-sha256-modp2048 
auth=esp 
esp=aes128-shal 
pfs=no 
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conn home 
leftfirewall=yes 
Jeft=198.51.100.2 
right=198.51.100.1 
rightsubnet=198.51.100.5/24 
Jeftsubnet=203.0.113.1/24 
auto=add 


QD NOTE: Here connhome specifies the name of the IPSec tunnel connection 
to be established between a Junos OS device and Strongswan VPN Client 
on syslog server, ike=aes-sha256-modp2048 specifies the IKE encryption 
and authentication algorithms and DH Group to be used for the connection, 
andesp=aes128-shal specifies the ESP encryption and authentication 
algorithms to be used for the connection. 


. Activate IPsec service by using ipsec up <being-established-ipsec-tunnel-name> 


command. For example, 


[root@fipscc-pc02 user]# ipsec up home 

002 "home" #3: initiating Main Mode 

104 "home" #3: STATE_MAIN_I1: initiate 

010 "home" #3: STATE_MAIN_I1: retransmission; will wait 20s for response 


. Restart the IPsec StrongSwan service. 


root@host# ipsec restart 


. Check for syslog encrypted traffic. 


root@host# tcpdump —! eth] —vv —s 1500 —c 10 —o /var/tmp/Syslog_Traffic.pcap 


. Copy /var/log/syslog to /var/tmp/syslog_verify file on the syslog server to validate 


the syslog from the Junos OS device. 


root@host# cp /var/log/syslog /var/tmp/syslog_verify 


« Creating a Secure Logging Channel on page 29 


Forwarding Logs to the External Syslog Server 


68 


When the device running Junos OS is set up for an external syslog server, the TOE forwards 
copies of local logs to the external syslog server and retains local copies of all logs when 
the TOE is configured in event log mode. In stream log mode, all logs except traffic logs 
are stored locally and can be forwarded to an external syslog server, whereas traffic logs 
can only be forwarded to an external syslog server. 


The connection between the device running Junos OS and the syslog server is established 
onan event basis depending on preconfiguration of what type of logs are forwarded from 
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local to external. When the configured condition is met, the device sends local logs to 
the external syslog server. 


Related +. Sample Syslog Server Configuration on a Linux System on page 67 
Documentation 
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Contiguring Audit Log Options 


¢« Configuring Audit Log Options in the Evaluated Configuration on page 71 
« Sample Code Audits of Configuration Changes on page 72 


Configuring Audit Log Options in the Evaluated Configuration 


The following sections describe how to configure audit log options in the evaluated 
configuration. 


¢ Configuring Audit Log Options for Branch SRX Series Devices on page 71 
¢« Configuring Audit Log Options for High-end SRX Series Devices on page 72 


Configuring Audit Log Options for Branch SRX Series Devices 


To configure audit log options for branch SRX Series devices: 


1. Specify the number of files to be archived in the system logging facility. 


[edit system syslog] 
root@host#set archive files 2 


2. Specify the file in which to log data. 


[edit system syslog] 
root@host#set file syslog any any 


3. Specify the size of files to be archived. 


[edit system syslog] 
root@host#set file syslog archive size 1OOOOOO0O 


4. Specify the priority and facility in messages for the system logging facility. 


[edit system syslog] 
root@host#set file syslog explicit-priority 


5. Log system messages in a structured format. 


[edit system syslog] 
root@host#set file syslog structured-data 
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6. Configure security log events in the audit log buffer. 


[edit] 
root@host#set security log cache 


Configuring Audit Log Options for High-end SRX Series Devices 


To configure audit log options for high-end SRX Series devices: 


}. Specify the number of files to be archived in the system logging facility. 


[edit system syslog] 
root@host#set archive files 2 


2. Specify the file in which to log data. 


[edit system syslog] 
root@host#set file syslog any any 


3. Specify the size of files to be archived. 


[edit system syslog] 
root@host#set file syslog archive size IOOOOOO0O 


4. Specify the priority and facility in messages for the system logging facility. 


[edit system syslog] 
root@host#set file syslog explicit-priority 


5. Log system messages in a structured format. 


[edit system syslog] 
root@host#set file syslog structured-data 


6. Specify how security logs need to be processed and exported. 


[edit] 
root@host#set security log mode event 


Related + Sample Code Audits of Configuration Changes on page 72 
Documentation 


Sample Code Audits of Configuration Changes 


This sample code audits all changes to the configuration secret data and sends the logs 
to a file named Audit-File: 


[edit system] 
syslog { 
file Audit-File { 
authorization info; 
change-log info; 
interactive-commands info; 
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} 
} 


This sample code expands the scope of the minimum audit to audit all changes to the 
configuration, not just secret data, and sends the logs to a file named Audit-File: 


[edit system] 
syslog { 
file Audit-File { 
any any; 
authorization info; 
change-log any; 
interactive-commands info; 
kernel info; 
pfe info; 
} 
} 


Example: System ‘This example shows a sample configuration and makes changes to users and secret 
Logging of data. It then shows the information sent to the audit server when the secret data is added 
ConfigurationChanges _ 0 the original configuration and committed with the load command. 


[edit system] 
location { 
country-code US; 
building B1; 
} 
login { 
message "UNAUTHORIZED USE OF THIS ROUTER\n\tIS STRICTLY PROHIBITED!"; 
user admin { 
uid 2000; 
class super-user; 
authentication { 
encrypted-password “$ABC123”; 
# SECRET-DATA 
} 
} 
password { 
format md5; 
} 
} 
radius-server 192.0.2.15{ 
secret “$ABC123” # SECRET-DATA 
} 
services { 
ssh; 
} 
syslog { 
user *{ 
any emergency; 
} 
file messages { 
any notice; 
authorization info; 


} 
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file interactive-commands { 
interactive-commands any; 
} 
} 


The new configuration changes the secret data configuration statements and adds a 
new user. 


user@host# show | compare 

[edit system login user admin authentication] 

— encrypted-password “SABC123”; # SECRET-DATA 
+ encrypted-password “SABC123”; # SECRET-DATA 
[edit system login] 

+ useradmin2 { 


+ uid 2001; 

+ class operator; 

+ authentication { 

+ encrypted-password “$ABC123”; 
# SECRET-DATA 

+ 45 

+ 4 


[edit system radius-server 192.0.2.15] 
— secret “$ABC123”; # SECRET-DATA 
+ secret “$ABC123”; # SECRET-DATA 


Related + Configuring Audit Log Options in the Evaluated Configuration on page 71 
Documentation 
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Configuring Event Logging 


« Event Logging Overview on page 75 

¢ Configuring Event Logging to a Local File on page 76 
e Interpreting Event Messages on page 76 

- Logging Changes to Secret Data on page 77 

« Login and Logout Events Using SSH on page 78 

- Logging of Audit Startup on page 79 


Event Logging Overview 


The evaluated configuration requires the auditing of configuration changes through the 
system log. 


In addition, Junos OS can: 


« Send automated responses to audit events (syslog entry creation). 
« Allow authorized managers to examine audit logs. 
« Send audit files to external servers. 


« Allow authorized managers to return the system to a known state. 
The logging for the evaluated configuration must capture the following events: 


- Changes to secret key data in the configuration. 

« Committed changes. 

- Login/logout of users. 

« System startup. 

« Failure to establish an SSH session. 

« Establishment/termination of an SSH session. 

» Changes to the (system) time. 

« Termination of a remote session by the session locking mechanism. 


¢ Termination of an interactive session. 
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In addition, Juniper Networks recommends that logging also: 


« Capture all changes to the configuration. 


¢ Store logging information remotely. 


Related . Interpreting Event Messages on page 76 
Documentation 


Configuring Event Logging to a Local File 


You can configure storing of audit information to a local file with the syslog statement. 
This example stores logs in a file named Audit-File: 


[edit system] 


syslog { 
file Audit-File; 
} 


Related ~- Event Logging Overview on page 75 
Documentation 


Interpreting Event Messages 


The following output shows a sample event message. 


Jul 24 17:43:28 router] mgd[4163]: UILCFG_AUDIT_SET_SECRET: User 'admin' set: [system 
radius-server 1.2.3.4 secret] 


Table 11 on page 76 describes the fields for an event message. If the system logging utility 
cannot determine the value in a particular field, a hyphen ( - ) appears instead. 


Table 11: Fields in Event Messages 


mi=ite| pY=\-Yel d] ej d(eyal Examples 
timestamp Time when the message was generated, in one Jul 24 17:43:28 is the 
of two representations: timestamp expressed as 
local time in the United 
¢ MMM-DD HH:MM:SS.MS+/-HH:MM, is the States. 
month, day, hour, minute, second and 2012-07-24T09:17:15.719Z 
millisecond in local time. The hour and minute is 9:17 AM UTC on 24 July 
that follows the plus sign (+) or minus sign (-) 2012. 


is the offset of the local time zone from 
Coordinated Universal Time (UTC). 


« YYYY-MM-DDTHH:MM:SS.MSZ is the year, 
month, day, hour, minute, second and 
millisecond in UTC. 








hostname Name of the host that originally generated the router] 
message. 
process Name of the Junos OS process that generated mgd 


the message. 
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Table 11: Fields in Event Messages (continued) 


ml=tle| Description =><-laa)elt=ty 


process/D UNIX process ID (PID) of the Junos OS process 4153 
that generated the message. 





TAG Junos OS system log message tag, which ULDBASE_LOGOUT_EVENT 
uniquely identifies the message. 





username Username of the user initiating the event. “admin” 





message-text English-language description of the event. set: [system radius-server 
1.2.3.4 secret] 





Related «. Event Logging Overview on page 75 
Documentation 


Logging Changes to Secret Data 


The following are examples of audit logs of events that change the secret data. 
Load Merge 


When a load merge command is issued to merge the contents of the example Common 
Criteria configuration with the contents of the original configuration, the following audit 
logs are created concerning the secret data: 


Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system radius-server 
1.2.3.4 secret] 

Jul 24 17:43:28 routerl mgd[4163]: UI_LCFG_AUDIT_SET_SECRET: User 'admin' set: [system login user admin 
authentication encrypted-password] 

Jul 24 17:43:28 routerl mgd[4163]: UI_LCFG_AUDIT_SET_SECRET: User 'admin' set: [system login user admin2 
authentication encrypted-password] 


Load Replace 


When a load replace commandis issued to replace the contents of the example Common 
Criteria configuration with the contents of the original configuration, the following audit 
logs are created concerning the secret data: 


Jul 24 18:29:09 routerl mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User ‘admin' replace: [system radius-server 
1.2.3.4 secret] 

Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' replace: [system login user 
admin authentication encrypted-password] 

Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' replace: [system login user 
admin authentication encrypted-password] 


Load Override 
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When a load override command is issued to override the contents of the example Common 
Criteria configuration with the contents of the original configuration, the following audit 
logs are created concerning the secret data: 


Jul 25 14:25:51 router1 mgd[4153]: UI_LLOAD_EVENT: User 'admin' is performing a ‘load override’ 

Jul 25 14:25:51 router1 mgd[4153]: UI_CFG_AUDIT_OTHER: User '‘admin' override: CC_config2.txt 

Jul 25 14:25:51 routerl mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system radius-server 
1.2.3.4 secret] 

Jul 25 14:25:51 routerl mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system login user admin 
authentication encrypted-password] 

Jul 25 14:25:51 routerl mgd[4153]: UI_LCFG_AUDIT_SET_SECRET: User 'admin' set: [system login user admin 
authentication encrypted-password] 


Load Update 


When a load update command is issued to update the contents of the example Common 
Criteria configuration with the contents of the original configuration, the following audit 
logs are created concerning the secret data: 


Jul 25 14:31:03 router1 mgd[4153]: UI_LOAD_EVENT: User 'admin' is performing a 'load update' 

Jul 25 14:31:03 router1 mgd[4153]: UI_CFG_AUDIT_OTHER: User '‘admin' update: CC_config2.txt 

Jul 25 14:31:03 routerl mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system radius-server 

1.2.3.4 secret] 

Jul 25 14:31:03 routerl mgd[4153]: UI_CFG_AUDIT_OTHER: User ‘'admin' deactivate: [system radius-server 
1.2.3.4 secret] "" 

Jul 25 14:31:03 routerl mgd[4153]: UI_LCFG_AUDIT_SET_SECRET: User 'admin' set: [system login user admin 

authentication encrypted-password] 

Jul 25 14:31:03 router1l mgd[4153]: UI_CFG_AUDIT_OTHER: User 'admin' deactivate: [system login user admin 
authentication encrypted-password] "" 

Jul 25 14:31:03 routerl mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system login user test 
authentication encrypted-password] 

Jul 25 14:31:03 routerl mgd[4153]: UI_LCFG_AUDIT_OTHER: User 'admin' deactivate: [system login user test 
authentication encrypted-password] "" 


For more information about configuring parameters and managing log files, see the Junos 
OS System Log Messages Reference. 


Related ~- Configuring Event Logging to a Local File on page 76 


D tati 
i a e Interpreting Event Messages on page 76 


Login and Logout Events Using SSH 


System log messages are generated whenever a user successfully or unsuccessfully 
attempts SSH access. Logout events are also recorded. For example, the following logs 
are the result of two failed authentication attempts, then a successful one, and finally a 
logout: 


Dec 20 23:17:35 bilbo sshd[16645]: Failed password for op from 192.0.2.16 port 1673 ssh2 

Dec 20 23:17:42 bilbo sshd[16645]: Failed password for op from 192.0.2.16 port 1673 ssh2 

Dec 20 23:17:53 bilbo sshd[16645]: Accepted password for op from 192.0.2.16 port 1673 ssh2 

Dec 20 23:17:53 bilbo mgd[16648]: UI_AUTH_EVENT: Authenticated user 'op' at permission level 
"j-operator' 

Dec 20 23:17:53 bilbo mgd[16648]: UI_LOGIN_EVENT: User ‘op' login, class 'j-operator' [16648] 
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Dec 20 23:17:56 bilbo mgd[16648]: UI_CMDLINE_READ_LINE: User 'op', command 'quit ' 
Dec 20 23:17:56 bilbo mgd[16648]: UI_LOGOUT_EVENT: User 'op' logout 


Related 
Documentation 


e Interpreting Event Messages on page 76 


Logging of Audit Startup 


Dec 
Dec 
Dec 
Dec 
Dec 


20 23:17:35 bilbo 
20 23:17:35 bilbo 
20 23:17:35 bilbo 
20 23:17:42 bilbo 
20 23:17:53 init: 


Related 
Documentation 


The audit information logged includes startups of Junos OS. This in turn identifies the 
startup events of the audit system, which cannot be independently disabled or enabled. 
For example, if Junos OS is restarted, the audit log contains the following information: 


syslogd: exiting on signal 14 

syslogd: restart 

syslogd /kernel: Dec 20 23:17:35 init: syslogd (PID 19128) exited with status=1 
/kernel: 

syslogd (PID 19200) started 


« Login and Logout Events Using SSH on page 78 
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CHAPTER 11 


Performing Self- Tests on a Device 


« Performing Successful Self-Tests on page 81 


e Failed Self-Tests and Associated Errors on page 83 


Performing Successful Self-Tests 


The device running Junos OS performs a self-test Upon power-on, which is called power-on 
self-test (POST) using the following commana: 


user@host> request system reboot 


A self-test can also be triggered using the following command: 


user@host> request system fips self-test 


A console message prompts you if the self-test validation is successful, as displayed in 
the following sample output: 


The following sample displays the self-test output on an high-end SRX Series device: 


Testing file integrity: 


File integrity Known Answer Test: Passed 
Testing kernel KATS: 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES128-CMAC Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
Testing libmd KATS: 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
Testing OpenSSL KATS: 
FIPS RNG Known Answer Test: Passed 
NIST 800-90 HMAC DRBG Known Answer Test: Passed 
FIPS ECDSA Known Answer Test: Passed 
FIPS ECDH Known Answer Test: Passed 
FIPS RSA Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
HMAC-SHA2-384 Known Answer Test: Passed 
HMAC-SHA2-512 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
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ECDSA-SIGN Known Answer Test: 

KDF-IKE-V1 Known Answer Test: 

KDF-SSH Known Answer Test: 
Testing QuickSec KATS: 


NIST 800-90 HMAC DRBG Known Answer Test: 


DES3-CBC Known Answer Test: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-224 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
HMAC-SHA2-384 Known Answer Test: 
HMAC-SHA2-512 Known Answer Test: 
AES-CBC Known Answer Test: 
AES-GCM Known Answer Test: 
SSH-RSA-ENC Known Answer Test: 
SSH-RSA-SIGN Known Answer Test: 
KDF-IKE-V1 Known Answer Test: 
KDF-IKE-V2 Known Answer Test: 
Testing SSH IPsec KATS: 


NIST 800-90 HMAC DRBG Known Answer Test: 


DES3-CBC Known Answer Test: 

HMAC-SHA1 Known Answer Test: 

HMAC-SHA2-256 Known Answer Test: 

SHA-2 Known Answer Test: 

AES-CBC Known Answer Test: 

SSH-RSA-ENC Known Answer Test: 

SSH-RSA-SIGN Known Answer Test: 

KDF-IKE-V1 Known Answer Test: 
Testing crypto integrity: 

Crypto integrity Known Answer Test: 
Expect an exec Authentication error... 


Passed 
Passed 
Passed 


Passed 
Passed 
Passed 

Passed 

Passed 
Passed 

Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 


Passed 
Passed 
Passed 

Passed 
Passed 
Passed 
Passed 
Passed 
Passed 


Passed 


/sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error 


The following sample displays the self-test output on a branch SRX Series device: 


Testing file integrity: 
File integrity Known Answer Test: 
Testing JSF Crypto (Octeon) KATs: 
AES-CBC Known Answer Test: 
AES-GCM Known Answer Test: 
RSA-SIGN Known Answer Test: 
ECDSA-SIGN Known Answer Test: 
Testing kernel KATS: 
DES3-CBC Known Answer Test: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
SHA-2 Known Answer Test: 
AES128-CMAC Known Answer Test: 
AES-CBC Known Answer Test: 
Testing libmd KATS: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
Testing Octeon KATS: 
DES3-CBC Known Answer Test: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
AES-CBC Known Answer Test: 
Testing OpenSSL KATS: 
FIPS RNG Known Answer Test: 


NIST 800-90 HMAC DRBG Known Answer Test: 


FIPS ECDSA Known Answer Test: 


Passed 


Passed 
Passed 
Passed 
Passed 


Passed 
Passed 
Passed 
Passed 
Passed 
Passed 


Passed 
Passed 


Passed 
Passed 
Passed 
Passed 


Passed 


Passed 
Passed 
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FIPS ECDH Known Answer Test: Passed 
FIPS RSA Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
HMAC-SHA2-384 Known Answer Test: Passed 
HMAC-SHA2-512 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
ECDSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
KDF-SSH Known Answer Test: Passed 
Testing QuickSec KATS: 
NIST 800-90 HMAC DRBG Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-224 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
HMAC-SHA2-384 Known Answer Test: Passed 
HMAC-SHA2-512 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
AES-GCM Known Answer Test: Passed 
SSH-RSA-ENC Known Answer Test: Passed 
SSH-RSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
KDF-IKE-V2 Known Answer Test: Passed 
Testing SSH IPsec KATS: 
NIST 800-90 HMAC DRBG Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
SSH-RSA-ENC Known Answer Test: Passed 
SSH-RSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
Testing crypto integrity: 
Crypto integrity Known Answer Test: Passed 


Expect an exec Authentication error... 
/sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error 


Related ~ Failed Self-Tests and Associated Errors on page 83 
Documentation 


Failed Self-Tests and Associated Errors 


A console message, log message, or both prompts you if there is a failed self-test. 
A failed authentication self-test displays the following error messages: 


Expect an exec Authentication error... 
/sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error 
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The other failed self-tests will result in the following error message format 
/sbin/kats/run-tests: <error-message>, where the error-message can take any of the 


84 


following values: 


FIPS Error 5: cannot verify certificate PackageCA 
FIPS Error 1: AES-CBC Known Answer Test: Failed 
FIPS Error 1: SHA-2 Known Answer Test: Failed 


FIPS Error 1: HMAC-SHA1 Known Answer Test: Failed 
FIPS Error 1: HMAC-SHA2-256 Known Answer Test: Failed 


FIPS Error 1: SSH-RSA-ENC Known Answer Test: Failed 
FIPS Error 1: SSH-RSA-SIGN Known Answer Test: Failed 


FIPS Error 1: FIPS RNG Known Answer Test: Failed 
FIPS Error 2: RNG test failed 


FIPS Error 1: FIPS RSA Known Answer Test: Failed 
FIPS Error 6: RSA private decrypt failed 

FIPS Error 6: RSA public encrypt failed 

FIPS Error 3: RSA private key set failed 

FIPS Error 4: RSA public key set failed 

FIPS Error 3: RSA sign final failed 

FIPS Error 3: RSA sign init failed 

FIPS Error 3: RSA sign update failed 

FIPS Error 4: RSA verify final failed 

FIPS Error 6: RSA conversion failed 

FIPS Error 8: RSA pairwise test failed 

FIPS Error 1: RSA-ENC Known Answer Test: Failed 
FIPS Error 1: RSA-SIGN Known Answer Test: Failed 
FIPS Error 1: FIPS ECDSA Known Answer Test: Failed 
FIPS Error 3: ECDSA private key set failed 

FIPS Error 4: ECDSA public key set failed 

FIPS Error 3: ECDSA sign final failed 

FIPS Error 3: ECDSA sign init failed 

FIPS Error 3: ECDSA sign update failed 

FIPS Error 4: ECDSA verify final failed 

FIPS Error 4: ECDSA verify init failed 

FIPS Error 4: ECDSA verify update failed 

FIPS Error 8: ECDSA pairwise test failed 

FIPS Error 1: ECDSA-SIGN Known Answer Test: Failed 


The following sample displays the FAKE-KATS output on a high-end SRX Series device: 


root@host% cd /sbin/kats 


root@host% ./kernel_kats -v 
Testing kernel KATS: 


DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES128-CMAC Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
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root@host% env FIPS_KAT_FAIL_AES_CBC_DEC=FIPS_ERROR_RUNTIME ./kernel_kats -v 
Testing kernel KATS: 


DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES128-CMAC Known Answer Test: Passed 


panic: pid 1414 (chassisd), uid 0, FIPS error 1: FIPS error 

KDB: stack backtrace: 
kdb_backtrace(cOcd6f00, cOd6e5a0, cOcd8770, f76c9b28,c0c24d16) at kdb_backtrace+0x29 
panic(c0cd8770, f76c9b3c,1, f76c9ba4, F76c9ba4) at panic+0x283 
fips_error(c5a0b400,1, f76c9ba4,0,c5d94460) at fips_error+0xf6 
jnprsys(c5a0b400, F76c9cfc,8,c5a0b400, F76c9d2c) at jnprsys+0xa66 
syscall1(f76c9d38) at syscal1+0x3ed 

Xint0Ox80_syscal1() at XintOx80_syscal1+0x20 

--- syscall (159, FreeBSD ELF32, jnprsys), eip = Ox8dbefObf, esp = Oxbfb7d8dc, 
ebp = Oxbfb7dd08 --- 

mastership: routing engine O relinquishing as master: Shutdown 
jnx_update_system_statel: Called with panic str set to OxcOd6e5a0, skipping.. 
TNPv3: deleting active neighbor entry Ox1 from interfaceem0. 

TNPv3: deleting active neighbor entry Ox1 from interfaceem1. 

setting server address to 0x00000000 

fib_loc_remove_tokens: called while RE is master 

Uptime: 22m25s 

Physical memory: 2031 MB 

Dumping 114 MB: 99 83 67 51 35 19 3 

Dump complete 

Automatic reboot in 15 seconds - press a key on the console to abort 
Rebooting... 


The following sample displays the FAKE-KATS output on a branch SRX Series device: 


root@host% cd /sbin/kats 


root@host% ./kernel_kats -v 
Testing kernel KATS: 


DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES128-CMAC Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 


root@host % env FIPS_KAT_FAIL_AES_CBC_DEC=FIPS_ERROR_RUNTIME ./kernel_kats -v 
Testing kernel KATS: 

panic: pid 1692 (kernel_kats), uid 0, FIPS error 1: AES-CBC Known Answer Test: 
Failed 

cpuid = 0 

KDB: stack backtrace: 

0x864d5244+0x20 (0x6,0x3ffed430,0,0x40deda) ra 0x862137c sz 0 

0x8621310+0x6c (0x1,0x3ffed430,0x40e180,0) ra 0x403228 sz 1072 

0x402368+0xecO (0x1,0x3ffed430,0x40e180,0) ra 0x40161c sz 2416 

0x401560+0xbc (0x1,0x3ffed430,0x40e180,0) ra 0x8456e3c sz 40 

VA 0x8446e38: not in user area or heuristics failed 

_Start+0x88356d7c (0x1,0x3ffed430,0x40e180,0) ra 0 sz 0 

pid 1692, process: kernel_kats 

Uptime: 3m5s 

Cannot dump. No dump device defined. 

Automatic reboot in 15 seconds - press a key on the console to abort 
Rebooting... 
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Related ~- Performing Successful Self-Tests on page 81 
Documentation 
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CHAPTER 12 


Configuring Network Attacks 


Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 
Configur 


ing IP Teardrop Attack Screen on page 87 

ing TCP Land Attack Screen on page 89 

ing ICMP Fragment Screen on page 90 

ing Ping-Of-Death Attack Screen on page 91 

ing tcp-no-flag Attack Screen on page 92 

ing TCP SYN-FIN Attack Screen on page 93 

ing TCP fin-no-ack Attack Screen on page 95 
ing UDP Bomb Attack Screen on page 96 

ing UDP CHARGEN DoS Attack Screen on page 96 
ing TCP SYN and RST Attack Screen on page 97 
ing ICMP Flood Attack Screen on page 99 

ing TCP SYN Flood Attack Screen on page 100 
ing TCP Port Scan Attack Screen on page 101 
ing UDP Port Scan Attack Screen on page 103 





ing IP Sweep Attack Screen on page 104 


Configuring IP Teardrop Attack Screen 


This topic describes how to configure detection of an IP teardrop attack. 


Teardrop attacks exploit the reassembly of fragmented IP packets. In the IP header, one 
of the field is the fragment offset fields, which indicates the starting position, or offset 
of the data contained in a fragmented packet, relative to the data of the original 
unfragmented packet. When the sum of the offset and size of one fragmented packet 
differs from that of the next fragmented packet, the packets overlap and the server 
attempting to reassemble the packet might crash. 


To enable detection of a teardrop attack: 


1. 


Configu 


re interfaces and assign IP addresses to the interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-0/0/3 unit O family inet address 198.51.100.0/24 
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2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 

user@host# 

user@host# 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure the security screen option and attach it to the untrustZone. 


user@host# set security screen ids-option untrustScreen ip tear-drop 
user@host# set security zones security-zone untrustZone screen untrustScreen 
user@host# set security screen ids-option untrustScreen alarm-without-drop 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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Configuring TCP Land Attack Screen 


This topic describes how to configure detection of a TCP land attack. 


Land attacks occur when an attacker sends spoofed SYN packets containing the IP 
address of the victim as both the destination and the source IP address. 


To enable detection of a TCP land attack: 


}. Configure interfaces and assign IP addresses to the interfaces. 


user@host# set interfaces ge-O/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen tcp land 
user@host# set security zones security-zone untrustZone screen untrustScreen 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOOO 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 
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6. Commit the configuration. 


user@host# commit 


Related .- IDP Extended Package Configuration Overview on page 107 
Documentation 


Configuring ICMP Fragment Screen 


This topic describes how to configure detection of an ICMP fragment attack. 


If an ICMP packet is large, then it must be fragmented. When the ICMP fragment protection 
screen option is enabled, the Junos OS blocks any ICMP packet that has many fragment 
flags set or that has an offset value indicated in the offset field. 


To enable detection of an ICMP fragment IDS attack: 


1. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen icmp fragment 
user@host# set security zones security-zone untrustZone screen untrustScreen 
user@host# set security screen ids-option untrustScreen alarm-without-drop 
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5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOOO 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 


Documentation 


Configuring Ping-Of-Death Attack Screen 


This topic describes how to configure detection of ping-of-death attack. 


The IP datagram with the protocol field of the IP header is set to 1 (ICMP), the last 
fragment bit is set, and (IP offset * 8) + (IP data length) > 65535. The IP offset (which 
represents the starting position of this fragment in the original packet, and which is in 
8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. 


To enable detection of a ping-of-death IDP attack: 


1. 


Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0O/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 
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user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen icmp ping-death 
user@host# set security zones security-zone untrustZone screen untrustScreen 
user@host# set security screen ids-option untrustScreen alarm-without-drop 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
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Configuring tcp-no-flag Attack Screen 


This topic describes how to configure detection of a tcp-no-flag attack. 


ATCP segment with no control flags set is an anomalous event causing various responses 
from the recipient. When the TCP no-flag is enabled, the device detects the TCP segment 
headers with no flags set, and drops all TCP packets with missing or malformed flag 
fields. 


To enable detection of a tcp-no-flag option: 


1. Configure interfaces and assign an IP address to the interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-0/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-O/0/1.0 
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user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen tcp tcp-no-flag 
user@host# set security zones security-zone untrustZone screen untrustScreen 
user@host# set security screen ids-option untrustScreen alarm-without-drop 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
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Configuring TCP SYN-FIN Attack Screen 


This topic describes how to configure detection of a TCP SYN-FIN attack. 


A TCP header with the SYN and FIN flags set is anomalous TCP behavior causing various 
responses from the recipient, depending on the OS. Blocking packets with SYN and FIN 
flags helps prevent the OS system probes. 


To enable detection of TCP SYN-FIN bits: 


1. Configure interfaces and assign an IP address to interfaces. 
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user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen tcp syn-fin 
user@host# set security zones security-zone untrustZone screen untrustScreen 
user@host# set security screen ids-option untrustScreen alarm-without-drop 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related «+ IDP Extended Package Configuration Overview on page 107 
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Configuring TCP fin-no-ack Attack Screen 


This topic describes how to configure detection of TCP fin-no-ack attack. A TCP header 
with the FIN flag set but not the ACK flag is anomalous TCP behavior. 


To enable detection of FIN bits with no ACK bit IDS option: 


]. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen tcp fin-no-ack 
user@host# set security zones security-zone untrustZone screen untrustScreen 
user@host# set security screen ids-option untrustScreen alarm-without-drop 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOOO 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 
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6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
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Configuring UDP Bomb Attack Screen 


If the UDP length specified is less than the IP length specified then the malformed packet 
type is associated with a denial-of-service attempt. By default, SRX drops these packets. 
No configuration is required. 


Related ~- IDP Extended Package Configuration Overview on page 107 
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Configuring UDP CHARGEN DoS Attack Screen 


This topic describes how to configure protection from a UDP CHARGEN DoS attack. 


@ NOTE: UDP packet is detected with a source port of 7 and a destination port 
of 19 is an attack. 


To enable detection of a UDP CHARGEN DoS attack: 


]. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to the trustZone with the Junos OS 
predefined application junos-chargen. 
user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 
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user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application junos-chargen 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then deny 

user@host# set security policies default-policy permit-all 


4. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


5. To allow the packet to reach the destination, change the policy configuration from 
deny to permit. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 


6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
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Configuring TCP SYN and RST Attack Screen 


This topic describes how to configure TCP packet when the SYN and RST flags are set. 
To enable detection of a TCP SYN and RST attack: 


]. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone the untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-O0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 
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. Configure the IDP custom-attack signatures. 


user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone 
any 

user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match 
source-address any 

user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone 
any 

user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match 
destination-address any 

user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match application 
default 

user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match attacks 
custom-attacks syn_rst 

user@host# set security idp idp-policy idpengine rulebase-ips rule 1 then action 
no-action 

user@host# set security idp idp-policy idpengine rulebase-ips rule 1 then notification 
log-attacks 

user@host# set security idp active-policy idpengine 

user@host# set security idp custom-attack syn_rst severity info 

user@host# set security idp custom-attack syn_rst attack-type signature context 
packet 

user@host# set security idp custom-attack syn_rst attack-type signature pattern 

user@host# set security idp custom-attack syn_rst attack-type signature direction 
any 

user@host# set security idp custom-attack syn_rst attack-type signature protocol tcp 
tcp-flags rst 

user@host# set security idp custom-attack syn_rst attack-type signature protocol tcp 
tcp-flags syn 


. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit application-services idp 

user@host# set security policies default-policy deny-all 


. Configure security tcp-session option in flow. 


user@host# set security flow tcp-session no-syn-check 
user@host# set security flow tcp-session no-sequence-check 


. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOOO 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 
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user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


7. To allow the traffic to reach the destination, configure the tcp-session option. 


user@host# set security flow tcp-session relax-check 


8. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 


Configuring ICMP Flood Attack Screen 


This topic describes how to configure detection of an ICMP flood attack. 


An ICMP flood typically occurs when an ICMP echo request overloads the victim with 
many requests such that the ICMP echo request spends all its resources responding until 
it can no longer process valid network traffic. When enabling the ICMP flood protection 
feature, you can set a threshold that, once exceeded, invokes the ICMP flood attack 
protection feature. 


To enable detection of an ICMP flood attack: 


}. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 
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user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 
user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen icmp flood 
user@host# set security screen ids-option untrustScreen alarm-without-drop 
user@host# set security zones security-zone untrustZone screen untrustScreen 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related «+. IDP Extended Package Configuration Overview on page 107 
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Configuring TCP SYN Flood Attack Screen 


This topic describes how to configure detection of a TCP SYN flood attack. 


ASYN flood occurs when a host is so overwhelmed by SYN segments initiating incomplete 
connection requests that it can no longer process legitimate connection requests. 


To enable detection of a TCP SYN flood attack: 


}. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 
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user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen tcp syn-flood 
user@host# set security screen ids-option untrustScreen alarm-without-drop 
user@host# set security zones security-zone untrustZone screen untrustScreen 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 
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Configuring TCP Port Scan Attack Screen 


This topic describes how to configure detection of a TCP port scan attack. 


A port scan occurs when one source IP address sends an IP packet containing TCP SYN 
segments to a defined number of different ports at the same destination IP address 
within a defined interval. 


To enable detection of a TCP port scan attack: 


]. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 
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2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 





4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen tcp port-scan 
user@host# set security screen ids-option untrustScreen alarm-without-drop 
user@host# set security zones security-zone untrustZone screen untrustScreen 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOO0O 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 
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Configuring UDP Port Scan Attack Screen 


This topic describes how to configure detection of a UDP port scan attack. 


These attacks scan the target IP addresses for open, listening, or responsive services by 
targeting multiple protocols or ports on one or more target IP address using obvious 
(sequentially numbered) patterns of the target protocol or port numbers. The patterns 
are derived by randomizing the protocol or port numbers and randomizing the time delays 
between the transmissions. 


To enable detection of a UDP port scan attack: 


]. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 

user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen udp port-scan 
user@host# set security screen ids-option untrustScreen alarm-without-drop 
user@host# set security zones security-zone untrustZone screen untrustScreen 


5. Configure syslog. 


user@host# set system syslog file syslog any any 
user@host# set system syslog file syslog archive size IOOOOOO0O 
user@host# set system syslog file syslog explicit-priority 
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user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 


Configuring IP Sweep Attack Screen 


This topic describes how to configure detection of an IP sweep attack. 


An address sweep occurs when one source IP address sends a defined number of ICMP 
packets to different hosts within a defined time interval (S000 microseconds is the 
default value). The purpose of this attack is to send ICMP packets—typically echo 
requests—to various hosts in the hope that at least one replies, thus uncovering an address 
to target. 


To enable detection of an IP sweep attack: 


]. Configure interfaces and assign an IP address to interfaces. 


user@host# set interfaces ge-0/0/1 unit O family inet address 192.0.2.0/24 
user@host# set interfaces ge-O/0/3 unit O family inet address 198.51.100.0/24 


2. Configure security zones trustZone and untrustZone and assign interfaces to them. 


user@host# set security zones security-zone trustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone trustZone host-inbound-traffic protocols 
all 

user@host# set security zones security-zone trustZone interfaces ge-O/0/1.0 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
system-services all 

user@host# set security zones security-zone untrustZone host-inbound-traffic 
protocols all 

user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0 


3. Configure security policies from untrustZone to trustZone. 


user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match source-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match destination-address any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] match application any 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then permit 


104 Copyright © 2018, Juniper Networks, Inc. 


Chapter 12: Configuring Network Attacks 


user@host# set security policies default-policy deny-all 


4. Configure security screens and attach them to untrustZone. 


user@host# set security screen ids-option untrustScreen icmp ip-sweep 
user@host# set security screen ids-option untrustScreen alarm-without-drop 
user@host# set security zones security-zone untrustZone screen untrustScreen 


5. Configure syslog. 


user@host# set system syslog file syslog any any 

user@host# set system syslog file syslog archive size IOOOOOOO 

user@host# set system syslog file syslog explicit-priority 

user@host# set system syslog file syslog structured-data 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-init 

user@host# set security policies from-zone untrustZone to-zone trustZone policy 
policy] then log session-close 


6. Commit the configuration. 


user@host# commit 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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Configuring the IDP Extended Package 


« IDP Extended Package Configuration Overview on page 107 


IDP Extended Package Configuration Overview 


The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively 
enforce various attack detection and prevention techniques on network traffic passing 
through an IDP-enabled device. It allows you to define policy rules to match a section of 
traffic based on a zone, network, and application, and then take active or passive 
preventive actions on that traffic. 


An IDP policy defines how your device handles the network traffic. It allows you to enforce 
various attack detection and prevention techniques on traffic traversing your network. 


A policy is made up of rule bases, and each rule base contains a set of rules. You define 
rule parameters, such as traffic match conditions, action, and logging requirements, then 
add the rules to rule bases. After you create an IDP policy by adding rules in one or more 
rule bases, you can select that policy to be the active policy on your device. 


To configure the IDP extended package (IPS-EP) perform the following steps: 


}. Enable IPS in a security policy. See Configuring IDP Policy Rules and IDP Rulebases in 
the Junos OS Release 12.3X48-D10 Intrusion Detection and Prevention Feature Guide 
for Security Devices published on 2016-01-12 for Junos OS Release 12.3X48-D10 released 
on 2015-03-06. 


2. Configure IDP policy rules, IDP rule bases, and IDP rule actions. See Configuring IDP 
Policy Rules and IDP Rulebases in the Junos OS Release 12.3X48-D10 Intrusion Detection 
and Prevention Feature Guide for Security Devices published on 2016-01-12 for Junos 
OS Release 12.3X48-D10 released on 2015-03-06. 


3. Configure IDP custom signatures. See Understanding IDP Signature-Based Attacks 
and Example: Configuring IDP Signature-Based Attacks in the Junos OS Release 
12.3X48-D10 Intrusion Detection and Prevention Feature Guide for Security Devices 
published on 2016-01-12 for Junos OS Release 12.3X48-D10 released on 2015-03-06. 


4. Update the IDP signature database. See Updating the IDP Signature Database Overview 
in the Junos OS Release 12.3X48-D10 Intrusion Detection and Prevention Feature Guide 
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for Security Devices published on 2016-01-12 for Junos OS Release 12.3X48-D10 released 
on 2015-03-06. 


Related . Intrusion Detection and Prevention Feature Guide for Security Devices 
Documentation 
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CHAPTER 14 


Configuration Statements 


« checksum-validate on page 110 

e code on page 111 

« data-length on page 112 

« destination-option on page 113 

- extension-header on page 114 

« header-type on page 115 

- home-address on page 116 

¢ identification on page 117 

« icmpv6 (Security IDP Custom Attack) on page 118 
« ihl (Security IDP Custom Attack) on page 119 

« option-type on page 120 

« reserved (Security IDP Custom Attack) on page 121 
- routing-header on page 122 

* sequence-number (Security IDP ICMPv6 Headers) on page 123 
- type (Security IDP ICMPv6 Headers) on page 124 
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checksum-validate 


Syntax checksum-validate { 
match (equal | greater-than | less-than | not-equal); 
value checksum-value; 


} 


Hierarchy Level [edit security idp custom-attack attack-name attack-type signature protocol ipv4] 
[edit security idp custom-attack attack-name attack-type signature protocol tcp] 
[edit security idp custom-attack attack-name attack-type signature protocol udp] 
[edit security idp custom-attack attack-name attack-type signature protocol icmp] 
[edit security idp custom-attack attack-name attack-type signature protocol icmpv6] 


Release Information Statement introduced in Junos OS Release 12.3X48-D30. 


Description Allow |DP to validate checksum field against the calculated checksum. 


Options match (equal | greater-than | less-than | not-equal)—Match an operand. 


value checksum-value—Match a decimal value. 
Range: O through 65,535 


Required Privilege security—To view this statement in the configuration. 
Level security-control—To add this statement to the configuration. 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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code 


Syntax 


Hierarchy Level 


Release Information 


Description 


Options 


Required Privilege 
Level 


Related 
Documentation 
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code { 
match (equal | greater-than | less-than | not-equal); 
value code-value; 


} 


[edit security idp custom-attack attack-name attack-type signature protocol icmpv6] 


Statement introduced in Junos OS Release 12.3X48-D30. 


Specify the secondary code that identifies the function of the request/reply within a given 
type. 


« match (equal | greater-than | less-than | not-equal)—Match an operand. 


« value code-value—Match a decimal value. 


Range: O through 255 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 


« IDP Extended Package Configuration Overview on page 107 
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data-length 


Syntax 


Hierarchy Level 


Release Information 


Description 


Options 


Required Privilege 
Level 


Related 
Documentation 
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data-length { 
match (equal | greater-than | less-than | not-equal); 
value data-length; 


} 


[edit security idp custom-attack attack-name attack-type signature protocol udp] 
[edit security idp custom-attack attack-name attack-type signature protocol icmp] 
[edit security idp custom-attack attack-name attack-type signature protocol icmpv6] 
[edit security idp custom-attack attack-name attack-type signature protocol tcp] 


Statement introduced in Junos OS Release 9.3. 


Specify the number of bytes in the data payload. In the TCP header, for SYN, ACK, and 
FIN packets, this field should be empty. 


* match (equal | greater-than | less-than | not-equal)—Match an operand. 


« value data-length—Match the number of bytes in the data payload. 


Range: O through 65,535 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 


« IDP Extended Package Configuration Overview on page 107 
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destination-option 


Syntax  destination-option { 

home-address { 
match (equal | greater-than | less-than | not-equal); 
value header-value; 

} 

option-type { 
match (equal | greater-than | less-than | not-equal); 
value header-value; 

} 

} 


Hierarchy Level [edit set security idp custom-attack attack-name attack-type signature protocol ijov6 
extension-header] 


Release Information Statement introduced in Junos OS Release 12.3X48-D30. 


Description Specify the IPv6 destination option for the extension header. The destination-option 
option inspects the header option type of home-address field in the extension header and 
reports a custom attack if a match is found. The destination-option supports the 
home-address field type of inspection. 


Required Privilege security—To view this statement in the configuration. 
Level security-control—To add this statement to the configuration. 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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extension-header 


Syntax extension-header { 
destination-option { 
home-adadress { 
match (equal | greater-than | less-than | not-equal); 
value header-value; 
} 
option-type { 
match (equal | greater-than | less-than | not-equal); 
value header-value; 
} 
} 


routing-header { 
header-type { 
match (equal | greater-than | less-than | not-equal); 
value header-value; 


} 
} 


Hierarchy Level [edit set security idp custom-attack attack-name attack-type signature protocol jpv6] 
Release Information Statement introduced in Junos OS Release 12.3X48-D30. 


Description Specify the IPv6 extension header. 


Required Privilege security—To view this statement in the configuration. 
Level security-control—To add this statement to the configuration. 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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header-type 


Syntax 


Hierarchy Level 


Release Information 


Description 


Options 


Required Privilege 
Level 


Related 
Documentation 
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header-type { 
match (equal | greater-than | less-than | not-equal); 
value header-value; 


} 


[edit set security idp custom-attack attack-name attack-type signature protocol jpv6 
extension-header routing-header] 


Statement introduced in JUnos OS Release 12.3X48-D30. 


Specify the IPv6 routing header type. 


match (equal | greater-than | less-than | not-equal)—Match an operand. 


value—Match a decimal value. 
Range: O through 255 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 


« IDP Extended Package Configuration Overview on page 107 
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home-address 


Syntax home-address { 
match (equal | greater-than | less-than | not-equal); 
value value; 


} 


Hierarchy Level [edit set security idp custom-attack attack-name attack-type signature protocol ijov6 
extension-header destination-option] 


Release Information Statement introduced in JUnos OS Release 12.3X48-D30. 


Description Specify the IPv6 home address of the mobile node. 


Options match (equal | greater-than | less-than | not-equal)—Match an operand. 


value—Match a decimal value. 


Required Privilege security—To view this statement in the configuration. 
Level security-control—To add this statement to the configuration. 


Related +. IDP Extended Package Configuration Overview on page 107 
Documentation 
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identification 


Syntax 


Hierarchy Level 


Release Information 


Description 


Options 


Required Privilege 
Level 


Related 
Documentation 
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identification { 
match (equal | greater-than | less-than | not-equal); 
value identification-value; 


} 


[edit security idp custom-attack attack-name attack-type signature protocol icmpv6] 


Statement introduced in Junos OS Release 12.3X48-D30. 


Specify a unique value used by the destination system to associate requests and replies. 


« match (equal | greater-than | less-than | not-equal)—Match an operand. 


« value identification-value—Match a decimal value. 


Range: O through 65,535 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 


« IDP Extended Package Configuration Overview on page 107 
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icmpv6 (Security IDP Custom Attack) 


Syntax 


Hierarchy Level 


Release Information 


Description 


Required Privilege 
Level 


Related 
Documentation 
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icmpv6 { 

checksum-validate { 
match (equal | greater-than | less-than | not-equal); 
value checksum-value; 

} 

code { 
match (equal | greater-than | less-than | not-equal); 
value code-value; 

} 

data-length { 
match (equal | greater-than | less-than | not-equal); 
value data-length; 

} 

identification { 
match (equal | greater-than | less-than | not-equal); 
value identification-value; 

} 

sequence-number { 
match (equal | greater-than | less-than | not-equal); 
value sequence-number; 

} 

type { 
match (equal | greater-than | less-than | not-equal); 
value type-value; 

} 

} 


[edit security idp custom-attack attack-name attack-type signature protocol] 


Statement introduced in Junos OS Release 12.3X48-D30. 


Allow IDP to match the attack for the specified ICMPv6. 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 


« IDP Extended Package Configuration Overview on page 107 
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ihl (Security IDP Custom Attack) 


Syntax ihl{ 
match (equal | greater-than | less-than | not-equal); 
value jhl-value; 


} 
Hierarchy Level [edit set security idp custom-attack jov4_custom attack-type signature protocol ipv4] 
Release Information Statement introduced in Junos OS Release 12.3X48-D30. 


Description Specify the IPv4 header length in words. 


Options match (equal | greater-than | less-than | not-equal)—Match an operand. 


value—Match a decimal value. 
Range: O through 15 


Required Privilege security—To view this statement in the configuration. 
Level security-control—To add this statement to the configuration. 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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option-type 
Syntax option-type f 


match (equal | greater-than | less-than | not-equal); 
value header-value; 


} 


Hierarchy Level [edit security idp custom-attack attack-name attack-type signature protocol jpv6 
extension-header destination-option] 


Release Information Statement introduced in Junos OS Release 12.3X48-D30. 


Description Specify the type of option for destination header type. 


Options match (equal | greater-than | less-than | not-equal)—Match an operand. 


value—Match a decimal value. 
Range: O through 255 


Required Privilege security—To view this statement in the configuration. 
Level security-control—To add this statement to the configuration. 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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reserved (Security IDP Custom Attack) 


Syntax reserved { 
match (equal | greater-than | less-than | not-equal); 
value reserved-value; 


} 
Hierarchy Level [edit security idp custom-attack jpv4_custom attack-type signature protocol tcp] 
Release Information Statement introduced in Junos OS Release 12.3X48-D30. 


Description Specify the three reserved bits in the TCP header field. 


Options match (equal | greater-than | less-than | not-equal)—Match an operand. 


value—Match a decimal value. 
Range: O through 7 


Required Privilege security—To view this statement in the configuration. 
Level security-control—To add this statement to the configuration. 


Related ~- IDP Extended Package Configuration Overview on page 107 
Documentation 
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routing-header 


Syntax 


Hierarchy Level 


Release Information 


Description 


Required Privilege 
Level 


Related 
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routing-header { 
header-type { 
match (equal | greater-than | less-than | not-equal); 
value header-value; 
} 
} 


[edit set security idp custom-attack attack-name attack-type signature protocol jpv6 
extension-header] 


Statement introduced in Junos OS Release 12.3X48-D30. 
Specify the IPv6 routing header type. The routing-header option inspects the 
routing-header type field and reports a custom attack if a match with the specified value 


is found. The routing-header option supports the following routing header types: 
routing-header-typeO, routing-header-typel, and so on. 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 
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sequence-number (Security IDP ICMPv6 Headers) 


Syntax 


Hierarchy Level 


Release Information 


Description 


Options 


Required Privilege 
Level 


Related 
Documentation 


sequence-number { 
match (equal | greater-than | less-than | not-equal); 
value sequence-number; 


} 


[edit security idp custom-attack attack-name attack-type signature protocol icmpv6] 


Statement introduced in JUnos OS Release 12.3X48-D30. 


Specify the sequence number of the packet. This number identifies the location of the 
request/reply in relation to the entire sequence. 


* match (equal | greater-than | less-than | not-equal)—Match an operand. 


« value sequence-number—Match a decimal value. 


Range: O through 65,535 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 
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type (Security IDP ICMPv6 Headers) 


Syntax 


Hierarchy Level 


Release Information 


Description 


Options 


Required Privilege 
Level 


Related 
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type { 
match (equal | greater-than | less-than | not-equal); 
value type-value; 


} 


[edit security idp custom-attack attack-name attack-type signature protocol icmpv6] 


Statement introduced in JUnos OS Release 12.3X48-D30. 


Specify the primary code that identifies the function of the request/reply. 


match (equal | greater-than | less-than | not-equal)—Match an operand. 


value type-value—Match a decimal value. 
Range: O through 255 


security—To view this statement in the configuration. 
security-control—To add this statement to the configuration. 
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